- name: Ensure ts-admin user exists
  ansible.builtin.user:
    name: ts-admin
    shell: /bin/bash
    state: present

- name: Ensure .ssh directory exists for ts-admin
  ansible.builtin.file:
    path: /home/ts-admin/.ssh
    state: directory
    owner: ts-admin
    group: ts-admin
    mode: '0700'

- name: Add authorized keys for ts-admin
  ansible.builtin.authorized_key:
    user: ts-admin
    state: present
    key: "{{ item }}"
  loop: "{{ ssh_public_keys }}"
  when: ssh_public_keys is defined

- name: Ensure /etc/sudoers.d directory exists
  ansible.builtin.file:
    path: /etc/sudoers.d
    state: directory
    owner: root
    group: root
    mode: '0755'

- name: Allow ts-admin passwordless sudo
  ansible.builtin.copy:
    dest: /etc/sudoers.d/ts-admin
    content: "ts-admin ALL=(ALL) NOPASSWD:ALL\n"
    owner: root
    group: root
    mode: '0440'