refactor(users): migrate system.user to system.users[] for multi-user support

roles/configuration/tasks/sudo.yml

@@ -5,3 +5,14 @@
     dest: /mnt/etc/sudoers.d/01-wheel
     mode: "0440"
     validate: /usr/sbin/visudo --check --file=%s
+
+- name: Deploy per-user sudoers rules
+  when: item.sudo is defined and (item.sudo | string | length) > 0
+  ansible.builtin.copy:
+    content: "{{ item.name }} {{ item.sudo }}\n"
+    dest: "/mnt/etc/sudoers.d/{{ item.name }}"
+    mode: "0440"
+    validate: /usr/sbin/visudo --check --file=%s
+  loop: "{{ system_cfg.users }}"
+  loop_control:
+    label: "{{ item.name }}"

roles/configuration/tasks/users.yml

@@ -1,38 +1,53 @@
 ---
-- name: Create user account
+- name: Set root password
+  vars:
+    configuration_root_cmd: >-
+      {{ chroot_command }} /usr/sbin/usermod --password
+      '{{ system_cfg.root.password | password_hash('sha512') }}' root --shell /bin/bash
+  ansible.builtin.command: "{{ configuration_root_cmd }}"
+  register: configuration_root_result
+  changed_when: configuration_root_result.rc == 0
+
+- name: Create user accounts
   vars:
     configuration_user_group: >-
       {{ "sudo" if is_debian | bool else "wheel" }}
     configuration_useradd_cmd: >-
       {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
-      --groups {{ configuration_user_group }} {{ system_cfg.user.name }}
-      --password {{ system_cfg.user.password | password_hash('sha512') }} --shell /bin/bash
-    configuration_root_cmd: >-
-      {{ chroot_command }} /usr/sbin/usermod --password
-      '{{ system_cfg.root.password | password_hash('sha512') }}' root --shell /bin/bash
-  ansible.builtin.command: "{{ item }}"
-  loop:
-    - "{{ configuration_useradd_cmd }}"
-    - "{{ configuration_root_cmd }}"
+      --uid {{ 1000 + ansible_loop.index0 }}
+      --groups {{ configuration_user_group }} {{ item.name }}
+      --password {{ item.password | password_hash('sha512') }} --shell /bin/bash
+  ansible.builtin.command: "{{ configuration_useradd_cmd }}"
+  loop: "{{ system_cfg.users }}"
+  loop_control:
+    extended: true
+    label: "{{ item.name }}"
   register: configuration_user_result
   changed_when: configuration_user_result.rc == 0
 
 - name: Ensure .ssh directory exists
-  when: system_cfg.user.keys | length > 0
+  when: item.keys | default([]) | length > 0
   ansible.builtin.file:
-    path: /mnt/home/{{ system_cfg.user.name }}/.ssh
+    path: "/mnt/home/{{ item.name }}/.ssh"
     state: directory
-    owner: 1000
-    group: 1000
+    owner: "{{ 1000 + ansible_loop.index0 }}"
+    group: "{{ 1000 + ansible_loop.index0 }}"
     mode: "0700"
+  loop: "{{ system_cfg.users }}"
+  loop_control:
+    extended: true
+    label: "{{ item.name }}"
 
 - name: Add SSH public keys to authorized_keys
-  when: system_cfg.user.keys | length > 0
+  vars:
+    _uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}"
   ansible.builtin.lineinfile:
-    path: /mnt/home/{{ system_cfg.user.name }}/.ssh/authorized_keys
-    line: "{{ item }}"
-    owner: 1000
-    group: 1000
+    path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys"
+    line: "{{ item.1 }}"
+    owner: "{{ _uid }}"
+    group: "{{ _uid }}"
     mode: "0600"
     create: true
-  loop: "{{ system_cfg.user.keys }}"
+  loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"
+  loop_control:
+    label: "{{ item.0.name }}: {{ item.1[:40] }}..."