---
- name: Set root password
  vars:
    configuration_root_cmd: >-
      {{ chroot_command }} /usr/sbin/usermod --password
      '{{ system_cfg.root.password | password_hash('sha512') }}' root --shell {{ system_cfg.root.shell | default('/bin/bash') }}
  ansible.builtin.command: "{{ configuration_root_cmd }}"
  register: configuration_root_result
  changed_when: configuration_root_result.rc == 0
  no_log: true

- name: Create user accounts
  vars:
    configuration_user_group: >-
      {{ "sudo" if is_debian | bool else "wheel" }}
    # UID starts at 1000; safe for fresh installs only
    configuration_useradd_cmd: >-
      {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
      --uid {{ 1000 + ansible_loop.index0 }}
      --groups {{ configuration_user_group }} {{ item.name }}
      --password {{ item.password | password_hash('sha512') }} --shell {{ item.shell | default('/bin/bash') }}
  ansible.builtin.command: "{{ configuration_useradd_cmd }}"
  loop: "{{ system_cfg.users }}"
  loop_control:
    extended: true
    label: "{{ item.name }}"
  register: configuration_user_result
  changed_when: configuration_user_result.rc == 0
  no_log: true

- name: Ensure .ssh directory exists
  when: item['keys'] | default([]) | length > 0
  ansible.builtin.file:
    path: "/mnt/home/{{ item.name }}/.ssh"
    state: directory
    owner: "{{ 1000 + ansible_loop.index0 }}"
    group: "{{ 1000 + ansible_loop.index0 }}"
    mode: "0700"
  loop: "{{ system_cfg.users }}"
  loop_control:
    extended: true
    label: "{{ item.name }}"

- name: Add SSH public keys to authorized_keys
  vars:
    _uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}"
  ansible.builtin.lineinfile:
    path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys"
    line: "{{ item.1 }}"
    owner: "{{ _uid }}"
    group: "{{ _uid }}"
    mode: "0600"
    create: true
  loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"
  loop_control:
    label: "{{ item.0.name }}: {{ item.1[:40] }}..."