---
# roles/core_users/tasks/main.yml

# requires python3-jmespath to run (pipx inject ansible-core jmespath)

- name: Ensure groups exist
  ansible.builtin.group:
    name: "{{ group_item.name }}"
    state: "{{ group_item.state | default('present') }}"
    gid: "{{ group_item.gid | default(omit) }}"
    system: "{{ group_item.system | default(omit) }}"
  loop: "{{ core_groups }}"
  loop_control:
    loop_var: group_item
  when: core_groups is defined

- name: Ensure users exist
  ansible.builtin.user:
    name: "{{ user_item.name }}"
    state: "{{ user_item.state | default('present') }}"
    password: "{{ user_item.password | default(omit) }}"
    shell: "{{ user_item.shell | default('/bin/bash') }}"
    system: "{{ user_item.system | default(omit) }}"
    uid: "{{ user_item.uid | default(omit) }}"
    group: "{{ user_item.group | default(omit) }}"
    groups: "{{ user_item.groups | default(omit) }}"
    append: "{{ user_item.append | default(omit) }}"
    create_home: "{{ user_item.create_home | default(omit) }}"
    home: "{{ user_item.home | default(omit) }}"
  loop: "{{ core_users }}"
  loop_control:
    loop_var: user_item
  when: core_users is defined

- name: Authorized keys
  ansible.posix.authorized_key:
    user: "{{ item.0.name }}"
    state: present
    key: "{{ lookup('file', ssh_keys_dir+'/'+item.1+'.pub') }}"
  loop: "{{ query('subelements', core_users, 'authorized_keys', {'skip_missing': True}) }}"