---

# ---
# - default user/groups
# ---

- name: (users.yml) Ensure default groups exists
  group:
    name: '{{ item.name }}'
    state: present
    gid: '{{ item.group_id | default(omit) }}'
  loop: "{{ default_user }}"
  loop_control:
    label: '{{ item.name }}'
  when: item.group_id is defined
  tags:
    - groups-exists

- name: (users.yml) Ensure default users exists
  user:
    name: '{{ item.name }}'
    state: present
    uid: '{{ item.user_id | default(omit) }}'
    group: '{{ item.group | default(omit) }}'
    #group: '{{ item.name | default(omit) }}'
    home: '{{ item.home | default(omit) }}'
    shell: '{{ item.shell|d("/bin/bash") }}'
    password: "{{ item.password }}"
    update_password: on_create
  loop: "{{ default_user }}"
  loop_control:
    label: '{{ item.name }}'
  tags:
    - users-exists

- name: (users.yml) Ensure authorized_key files for default users are present
  authorized_key:
    user: "{{ item.0.name }}"
    key: "{{ item.1 }}"
    state: present
  with_subelements:
    - '{{ default_user }}'
    - ssh_keys
  loop_control:
    label: "{{ item.0.name }}"
  tags:
    - authorized_key

# ---
# - extra user/groups
# ---

- name: (users.yml) Ensure extra groups exists
  group:
    name: '{{ item.name }}'
    state: present
    gid: '{{ item.group_id | default(omit) }}'
  loop: "{{ extra_user }}"
  loop_control:
    label: '{{ item.name }}'
  when: 
    - extra_user is defined and extra_user|length > 0
    - item.group_id is defined
  tags:
    - groups-exists

- name: (users.yml) Ensure extra users exists
  user:
    name: '{{ item.name }}'
    state: present
    uid: '{{ item.user_id | default(omit) }}'
    group: '{{ item.name | default(omit) }}'
    home: '{{ item.home | default(omit) }}'
    shell: '{{ item.shell|d("/bin/bash") }}'
    password: "{{ item.password }}"
    update_password: on_create
  loop: "{{ extra_user }}"
  loop_control:
    label: '{{ item.name }}'
  when: extra_user is defined and extra_user|length > 0
  tags:
    - users-exists

- name: (users.yml) Ensure authorized_key files for extra users are present
  authorized_key:
    user: "{{ item.0.name }}"
    key: "{{ item.1 }}"
    state: present
  with_subelements:
    - '{{ extra_user }}'
    - ssh_keys
  loop_control:
    label: "{{ item.0.name }}"
  when: extra_user is defined and extra_user|length > 0
  tags:
    - authorized_key

- name: (users.yml) other entries authorized_key files
  authorized_key:
    user: "{{ item.user }}"
    key: "{{ item.key }}"
    state: present
  loop: "{{ entries_authorized_key }}"
  loop_control:
    label: "{{ item.user }}"
  when:
     - entries_authorized_key is defined
     - entries_authorized_key|length > 0


# ---
# - extra system groups
# ---

- name: (users.yml) Extra system group sftp_users
  group:
    name: 'sftp_users'
    state: present
    system: yes
  when: 
    - create_sftp_group is defined and create_sftp_group > 0
  tags:
    - groups-exists

# ---
# - extra system user
# ---

- name: (users.yml) extra system user exists?
  user:
    name: '{{ item.name }}'
    state: present
    system: yes
    home: '{{ item.home }}'
    shell: '{{ item.shell|d("/usr/sbin/nologin") }}'
    groups: '{{ item.groups | default(omit) }}'
  loop: "{{ extra_system_user }}"
  loop_control:
    label: '{{ item.name }}'
  when: extra_system_user is defined and extra_system_user|length > 0
  tags:
    - user-exists


# ---
# - Take care backup host has rsa key to connect via ssh to the other hosts
# ---

- name: (users.yml) Copy ssh rsa private key to user root on backup server
  copy:
    src: '{{ item.priv_key_src }}'
    dest: '{{ item.priv_key_dest }}'
    owner: root
    group: root
    mode: '0600'
  loop: "{{ ssh_keypair_backup_server }}"
  loop_control:
    label: '{{ item.priv_key_dest }}'
  when: 
    - insert_ssh_keypair_backup_server|bool
    - ssh_keypair_backup_server is defined
    - ssh_keypair_backup_server|length > 0
  tags:
    - insert-ssh-keypair-backup-server
    - keypair-backup-server


- name: (users.yml) Copy ssh rsa public key to user root on backup server
  copy:
    src: '{{ item.pub_key_src }}'
    dest: '{{ item.pub_key_dest }}'
    owner: root
    group: root
    mode: '0644'
  loop: "{{ ssh_keypair_backup_server }}"
  loop_control:
    label: '{{ item.pub_key_dest }}'
  when:
    - insert_ssh_keypair_backup_server|bool
    - ssh_keypair_backup_server is defined
    - ssh_keypair_backup_server|length > 0
  tags:
    - insert-ssh-keypair-backup-server
    - keypair-backup-server


- name: (users.yml) Ensure user back has public rsa key of backup server
  authorized_key:
    user: "{{ item.backup_user }}"
    key: "{{ lookup('file', item.pub_key_src) }}"
    state: present
  loop: "{{ ssh_keypair_backup_server }}"
  loop_control:
    label: 'authorized_keys - user: {{ item.backup_user }}'
  when: 
    - ssh_keypair_backup_server is defined
    - ssh_keypair_backup_server|length > 0
  tags:
    - authorized_key
    - keypair-backup-server


# ---
# - Allow connection via ssh to backup host
# ---

- name: Ensure root's .ssh directory exists
  file:
    path: /root/.ssh
    state: directory

- name: (users.yml) Copy (backup) ed25519 ssh private key to user root
  copy:
    src: '{{ item.priv_key_src }}'
    dest: '{{ item.priv_key_dest }}'
    owner: root
    group: root
    mode: '0600'
  when: 
    - insert_keypair_backup_client|bool
    - ssh_keypair_backup_client is defined
    - ssh_keypair_backup_client|length > 0
  loop: "{{ ssh_keypair_backup_client }}"
  loop_control:
    label: 'dest: {{ item.priv_key_dest }}'
  tags:
    - insert_ssh_keypair_backup_server

- name: (users.yml) Copy (backup) ed25519 ssh public key to user root
  copy:
    src: '{{ item.pub_key_src }}'
    dest: '{{ item.pub_key_dest }}'
    owner: root
    group: root
    mode: '0644'
  when: 
    - insert_keypair_backup_client|bool
    - ssh_keypair_backup_client is defined
    - ssh_keypair_backup_client|length > 0
  loop: "{{ ssh_keypair_backup_client }}"
  loop_control:
    label: 'dest: {{ item.pub_key_dest }}'
  tags:
    - insert_ssh_keypair_backup_server

- name: (users.yml) Ensure authorized_key (root) on backup hosts contains public key
  authorized_key:
    user: root
    key: "{{ lookup('file', item.pub_key_src) }}"
    state: present
  loop: "{{ ssh_keypair_backup_client }}"
  loop_control:
    label: 'authorized_keys - user: root'
  when:
    - inventory_hostname == item.target
    - ssh_keypair_backup_client is defined
    - ssh_keypair_backup_client|length > 0
  tags:
    - authorized_key
    - ssh-keypair-backup-server


- name: (users.yml) Copy further ssh private key(s) to user root
  copy:
    src: '{{ item.priv_key_src }}'
    dest: '{{ item.priv_key_dest }}'
    owner: root
    group: root
    mode: '0600'
  loop: "{{ root_ssh_keypair }}"
  loop_control:
    label: 'dest: {{ item.priv_key_dest }}'
  when: 
    - insert_root_ssh_keypair|bool
    - root_ssh_keypair is defined
    - root_ssh_keypair|length > 0
  tags:
    - insert_root_ssh_keypair
    - root-defaut-ssh-keypair

- name: (users.yml) Copy further ssh public key(s) to user root
  copy:
    src: '{{ item.pub_key_src }}'
    dest: '{{ item.pub_key_dest }}'
    owner: root
    group: root
    mode: '0644'
  loop: "{{ root_ssh_keypair }}"
  loop_control:
    label: 'dest: {{ item.pub_key_dest }}'
  when: 
    - insert_root_ssh_keypair|bool
    - root_ssh_keypair is defined
    - root_ssh_keypair|length > 0
  tags:
    - insert_root_ssh_keypair
    - root-defaut-ssh-keypair