---
- name: Create users
  ansible.builtin.user:
    name: "{{ item.key }}"
    groups: "{{ item.value.groups | default(omit) }}"
    password: "{{ item.value.hashed_password | default(omit) }}"
    shell: /bin/bash
    state: present
  loop_control:
    label: "{{ item.key }}"
  loop: "{{ pydis_users__users | dict2items }}"
  tags:
    - role::pydis-users

- name: Manage authorized keys
  ansible.posix.authorized_key:
    comment: Ansible managed
    exclusive: true
    key: "{{ item.value.ssh_key }}"
    key_options: "{{ item.value.ssh_key_options | default(omit) }}"
    user: "{{ item.key }}"
    state: present
  loop_control:
    label: "{{ item.key }}"
  loop: "{{ pydis_users__users | dict2items }}"
  tags:
    - role::pydis-users

- name: Allow SSH logins for pydis users
  ansible.builtin.copy:
    content: |
      # Ansible managed

      AllowUsers {{ pydis_users__users | sort | join(' ') }}
    dest: /etc/ssh/sshd_config.d/pydis-users-login.conf
    owner: root
    group: root
    mode: "0444"
  notify:
    - Reload ssh
  tags:
    - role::pydis-users