- name: Ensure tsadmin user and SSH key
  hosts: all
  become: yes
  vars:
    ts_user: ts-admin
    ts_pubkeys:
      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID+VHh9Q7Y/0dQgDqoHaQyf6EZjXqiBDg7FvQPrt5LSx Jan Forman"
      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdDJqGN9L5zkCoQPCOmOy3Rozf4CY+w3p1nf4Ztl4VD miko@Directwire"

  tasks:
    - name: Ensure user exists
      ansible.builtin.user:
        name: "{{ ts_user }}"
        state: present
        create_home: yes
        shell: /bin/bash

    - name: Ensure .ssh directory exists
      ansible.builtin.file:
        path: "/home/{{ ts_user }}/.ssh"
        state: directory
        owner: "{{ ts_user }}"
        group: "{{ ts_user }}"
        mode: '0700'

    - name: Install public keys for the user
      ansible.builtin.authorized_key:
        user: "{{ ts_user }}"
        key: "{{ item }}"
        state: present
      loop: "{{ ts_pubkeys }}"

    - name: Ensure authorized_keys permissions
      ansible.builtin.file:
        path: "/home/{{ ts_user }}/.ssh/authorized_keys"
        owner: "{{ ts_user }}"
        group: "{{ ts_user }}"
        mode: '0600'
        state: file

    - name: Ensure user is member of sudo group
      ansible.builtin.user:
        name: "{{ ts_user }}"
        groups: sudo
        append: yes

    - name: Allow user to sudo without password via sudoers.d
      ansible.builtin.copy:
        dest: "/etc/sudoers.d/{{ ts_user }}"
        content: "{{ ts_user }} ALL=(ALL) NOPASSWD:ALL\n"
        owner: root
        group: root
        mode: '0440'