---

- name: Ensure sudo is installed
  package:
    name: sudo

- name: Fail if removing the current user
  fail:
    msg: Refusing to delete the user used to run this play
  when:
    - item.name == ansible_user_id
    - item.state is defined
    - item.state == 'absent'
  loop: "{{ users }}"
  become: false

- name: Ensure users in correct state
  user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    shell: "{{ item.shell | default('/bin/bash') }}"
    groups:
      - sudo
    state: "{{ item.state | default('present') }}"
  loop: "{{ users }}"

- name: Set ssh authorized keys for users
  authorized_key:
    user: "{{ item.name }}"
    key: "{{ item.ssh_pubkey }}"
  when: item.state | default('present') == 'present'
  loop: "{{ users }}"

- name: Disable login as root with ssh key
  file:
    path: /root/.ssh/authorized_keys
    state: absent
  when: ansible_user | default('') != 'root'