# yamllint disable rule:line-length
---
- name: "Group '{{ user.name }}' is present"
  ansible.builtin.group:
    state: present
    name: "{{ user.name }}"
    gid: "{{ user.uid }}"
  tags:
    - accounts
    - admin

- name: "User '{{ user.name }}' is present"
  ansible.builtin.user:
    state: present
    name: '{{ user.name }}'
    uid: '{{ user.uid }}'
    password: '{{ user.password_hash_openbsd }}'
    group: "{{ user.name }}"
    groups: wheel
    shell: /bin/ksh
    append: true
  tags:
    - accounts
    - admin

- name: "Gather available local users for usage in check_mode"
  ansible.builtin.getent:
    database: passwd
  tags:
    - accounts
    - admin

- name: "Home directory for '{{ user.name }}' is only accesible by owner"
  ansible.builtin.file:
    name: '/home/{{ user.name }}'
    mode: "0700"
    owner: "{{ user.name }}"
    group: "{{ user.name }}"
    state: directory
  when: user.name in getent_passwd.keys()
  tags:
    - accounts
    - admin

- name: "SSH public keys for '{{ user.name }}' are present"
  ansible.posix.authorized_key:
    user: "{{ user.name }}"
    key: "{{ ssk_key }}"
    state: present
  with_items: "{{ user.ssh_keys }}"
  loop_control:
    loop_var: ssk_key
  when:
    - user.ssh_keys is defined
    - user.name in getent_passwd.keys()
  tags:
    - accounts
    - admin

- name: "Gather available local groups for usage in check_mode"
  ansible.builtin.getent:
    database: group
  tags:
    - accounts
    - admin

- name: "Add {{ user.name }} to {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
  ansible.builtin.user:
    name: "{{ user.name }}"
    groups: "{{ groups_item }}"
    append: true
  with_items:
    - "{{ evobsd_internal_group }}"
    - "{{ evobsd_ssh_group }}"
    - "{{ evobsd_sudo_group }}"
  loop_control:
    loop_var: groups_item
  when:
    - user.name in getent_passwd.keys()
    - groups_item in getent_group.keys()
  tags:
    - accounts
    - admin