---
- name: Ensure group "admins" exists
# include_tasks: create_groups.yml
  ansible.builtin.group:
    name: admins
    state: present

- name: Grant sudo without PW to admins group
  ansible.builtin.template:
    src: roles/users/files/sudo_group_admins
    dest: /etc/sudoers.d/admins
    owner: root
    group: root
    mode: '0440'

- name: Enable sudoers.d subdir
  ansible.builtin.lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^#includedir'
    line: '#includedir /etc/sudoers.d'
    validate: /usr/sbin/visudo -cf %s

- name: Ensure user "lea" exists
  ansible.builtin.user:
    name: lea
    shell: /bin/bash
    groups: admins
    append: yes

- name: Ensure user "beat" exists
  ansible.builtin.user:
    name: beat
    shell: /bin/bash
    groups: admins
    append: yes

- name: Ensure user "rulrich" exists
  ansible.builtin.user:
    name: rulrich
    shell: /bin/bash
    groups: admins
    append: yes
    
- name: Set up authorized keys for user lea
  ansible.posix.authorized_key:
    user: lea
    state: present
    key: '{{ item }}'
  with_file:
    - public_keys/lea

- name: Set up authorized keys for user beat
  ansible.posix.authorized_key:
    user: beat
    state: present
    key: '{{ item }}'
  with_file:
    - public_keys/beat

- name: Set up authorized keys for user rulrich
  ansible.posix.authorized_key:
    user: rulrich
    state: present
    key: '{{ item }}'
  with_file:
    - public_keys/rulrich