- include_vars: vault.yml

- name: Add ansible user with bash shell
  user:
   name: ansible
   shell: /bin/bash
   comment: "Ansible"
   state: present

- name: Create ansible home-directory
  file:
    path: /home/ansible
    owner: ansible
    group: ansible
    mode: 0700
    state: directory

- name: Create HOME/.ssh dir for ansible user
  file:
   path: /home/ansible/.ssh
   owner: ansible
   group: ansible
   mode: 0700
   state: directory

- name: Copy the Ansible global key
  copy:
    src: "id_ecdsa"
    dest: "/home/ansible/.ssh/id_ecdsa"
    force: no
  when: "'management' in group_names"

- set_fact:
    all_keys: "{{ vault_ssh_keys | join('\n') }}"

- set_fact:
    all_keys: "{{ all_keys + '\n' + vault_ansible_dtap_key }}"
  when: "'dtap-all' in group_names"

- name: Add authorized key for Ansible user
  authorized_key:
    user: ansible
    exclusive: yes
    key: "{{ all_keys }}"
    key_options: 'from="127.0.0.1,{{ di_common_ansible_ssh_key_from_ips }}"'

- name: Add ansible to the sudoers
  lineinfile: "dest=/etc/sudoers state=present regexp='^ansible' line='ansible ALL=(ALL) NOPASSWD: ALL'"
  become: true