---
- name: Set root password
  when: (system_cfg.root.password | default('') | string | length) > 0
  ansible.builtin.shell: >-
    set -o pipefail &&
    echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
  args:
    executable: /bin/bash
  register: configuration_root_result
  changed_when: configuration_root_result.rc == 0
  no_log: true

- name: Lock root account when no password is set
  when: (system_cfg.root.password | default('') | string | length) == 0
  ansible.builtin.command: >-
    {{ chroot_command }} /usr/bin/passwd -l root
  register: configuration_root_lock_result
  changed_when: configuration_root_lock_result.rc == 0

- name: Set root shell
  ansible.builtin.command: >-
    {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
  register: configuration_root_shell_result
  changed_when: configuration_root_shell_result.rc == 0

- name: Create user accounts
  vars:
    configuration_user_group: "{{ _configuration_platform.user_group }}"
    configuration_useradd_cmd: >-
      {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
      --uid {{ 1000 + _idx }}
      --groups {{ configuration_user_group }} {{ item.key }}
      {{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }}
      --shell {{ item.value.shell | default('/bin/bash') }}
  ansible.builtin.command: "{{ configuration_useradd_cmd }}"
  loop: "{{ system_cfg.users | dict2items }}"
  loop_control:
    index_var: _idx
    label: "{{ item.key }}"
  register: configuration_user_result
  changed_when: configuration_user_result.rc == 0
  no_log: true

- name: Ensure .ssh directory exists
  when: (item.value['keys'] | default([]) | length) > 0
  ansible.builtin.file:
    path: "/mnt/home/{{ item.key }}/.ssh"
    state: directory
    owner: "{{ 1000 + _idx }}"
    group: "{{ 1000 + _idx }}"
    mode: "0700"
  loop: "{{ system_cfg.users | dict2items }}"
  loop_control:
    index_var: _idx
    label: "{{ item.key }}"

- name: Deploy SSH authorized_keys
  when: (item.value['keys'] | default([]) | length) > 0
  ansible.builtin.copy:
    content: "{{ item.value['keys'] | join('\n') }}\n"
    dest: "/mnt/home/{{ item.key }}/.ssh/authorized_keys"
    owner: "{{ 1000 + _idx }}"
    group: "{{ 1000 + _idx }}"
    mode: "0600"
  loop: "{{ system_cfg.users | dict2items }}"
  loop_control:
    index_var: _idx
    label: "{{ item.key }}"