---

- name: Display os_base role
  ansible.builtin.debug:
    var: role_config
    verbosity: 1
  vars:
    role_config:
      system_accounts: "{{ system_accounts }}"
      system_packages: "{{ system_packages }}"
      tasks:
        - Ensure system security groups are present
        - Create system users from system_accounts
        - Ensure ssh keys are correctly deployed
        - Configure APT preferences in minimal mode
        - Install base packages
        - Configure sudo, add wheel group, allow passwordless
  tags:
    - config_show


# Configure groups and users
# ==========================

- name: Ensure system security groups exists
  ansible.builtin.group:
    name: "{{ item }}"
    state: present
    system: true
  loop:
    - wheel
    - sudo
  loop_control:
    label: "Install package: {{ item }}"

- name: Create users
  user:
    name: "{{ item.name }}"
    append: true
    groups: "{{ item.groups | default([]) }}"
    state: "{{ item.state | default('present') }}"
    shell: "{{ item.shell | default('/bin/bash') }}"
    system: "{{ _system }}"
    comment: "{{ item.comment | default(omit) }}"
    createhome: true
    home: "{{ item.home | default('/home/' + item.name ) }}"
    uid: "{{ item.uid | default(omit) }}"
  loop: "{{ system_accounts }}"
  loop_control:
    label: "Create {{ _system | ternary('system', 'regular')  }} user: {{ item.name }} ({{ item.uid }}, {{item.comment|d('No comments')}}"
  vars:
    _system: "{{ item.system | default(False) }}"

- name: Deploy all ssh keys
  ansible.posix.authorized_key:
    user: "{{ _user_name }}"
    state: "{{ _sshkey_state }}"
    key: "{{ _sshkey }}"
    follow: true
    path: "{{ _home_dir }}/.ssh/authorized_keys"
  loop: "{{ system_accounts|selectattr('sshkeys', 'defined') | subelements('sshkeys') }}"
  loop_control:
    label: "Deploy '{{ _user_name }}' public key: {{ _sshkey_comment }}"
  vars:
    _user_name: "{{ item.0.name }}"
    _home_dir: "{{ item.0.home | default('/home/' + item.0.name ) }}"
    _sshkey_state: "{{ item.0.sshkey_state | default('present') }}"
    _sshkey: "{{ item.1 }}"
    _sshkey_comment: "{{ _sshkey | split(' ') | last }}"


# Configure package manager
# ==========================

- name: Configure APT preferences
  copy:
    dest: "/etc/apt/apt.conf.d/{{ item.name }}"
    content: "{{ item.content }}"
  loop:
    - name: 01-norecommend
      content: |
        APT::Install-Recommends "{{ system_packages_norecommend | bool | ternary(0, 1) }}";
    - name: 02-suggest
      content: |
        APT::Install-Suggests "{{ system_packages_nosuggest | bool | ternary(0, 1) }}";
  loop_control:
    label: "Ensure APT preference: {{ item.content }}"

- name: Install base tools
  package:
    name: "{{ system_packages }}"
  ignore_errors: "{{ ansible_check_mode }}"


# Configure sudo
# ==============

- name: Prepare sudo config for wheel group
  copy:
    dest: "/etc/sudoers.d/wheel"
    mode: "0440"
    content: |
      Defaults:%wheel !requiretty
      %wheel    ALL=(ALL) NOPASSWD: ALL

- name: Add managed users to sudo with password
  user:
    name: "{{ item.name }}"
    append: true
    groups:
      - sudo
  with_items: "{{ system_accounts }}"
  loop_control:
    label: "Add user to sudo group: {{ item.name }}"
  when: "'sudo' in perm"
  vars:
    perm: "{{ item.permissions | default([]) }}"

- name: Add managed users to sudo without password
  user:
    name: "{{ system_accounts[0].name }}"
    append: true
    groups:
      - wheel
  when: "'sudo_nopass' in perm"
  vars:
    perm: "{{ item.permissions | default([]) }}"