- name: Bootstrap Nodito SSH Key Access
  hosts: nodito
  become: true
  vars_files:
    - ../infra_vars.yml

  tasks:
    - name: Install sudo package
      package:
        name: sudo
        state: present

    - name: Ensure SSH directory exists for root
      file:
        path: /root/.ssh
        state: directory
        mode: "0700"
        owner: root
        group: root

    - name: Install SSH public key for root
      authorized_key:
        user: root
        key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
        state: present

    - name: Ensure SSH key-based authentication is enabled
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PubkeyAuthentication"
        line: "PubkeyAuthentication yes"
        state: present
        backrefs: yes

    - name: Ensure AuthorizedKeysFile is properly configured
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?AuthorizedKeysFile"
        line: "AuthorizedKeysFile .ssh/authorized_keys"
        state: present
        backrefs: yes

    - name: Restart SSH service
      service:
        name: ssh
        state: restarted

    - name: Wait for SSH to be ready
      wait_for:
        port: "{{ ssh_port }}"
        host: "{{ ansible_host }}"
        delay: 2
        timeout: 30

    - name: Test SSH key authentication
      command: whoami
      register: ssh_key_test
      changed_when: false

    - name: Verify SSH key authentication works
      assert:
        that:
          - ssh_key_test.stdout == "root"
        fail_msg: "SSH key authentication failed - expected 'root', got '{{ ssh_key_test.stdout }}'"

    - name: Create new user
      user:
        name: "{{ new_user }}"
        groups: sudo
        shell: /bin/bash
        state: present
        create_home: yes

    - name: Set up SSH directory for new user
      file:
        path: "/home/{{ new_user }}/.ssh"
        state: directory
        mode: "0700"
        owner: "{{ new_user }}"
        group: "{{ new_user }}"

    - name: Install SSH public key for new user
      authorized_key:
        user: "{{ new_user }}"
        key: "{{ lookup('file', ansible_ssh_private_key_file + '.pub') }}"
        state: present

    - name: Allow new user to run sudo without password
      copy:
        dest: "/etc/sudoers.d/{{ new_user }}"
        content: "{{ new_user }} ALL=(ALL) NOPASSWD:ALL"
        owner: root
        group: root
        mode: "0440"

    - name: Disable root login
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PermitRootLogin .*"
        line: "PermitRootLogin no"
        state: present
        backrefs: yes

    - name: Disable password authentication
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PasswordAuthentication .*"
        line: "PasswordAuthentication no"
        state: present
        backrefs: yes

    - name: Restart SSH service
      service:
        name: ssh
        state: restarted

    - name: Wait for SSH to be ready
      wait_for:
        port: "{{ ssh_port }}"
        host: "{{ ansible_host }}"
        delay: 2
        timeout: 30

    - name: Test connection with new user
      command: whoami
      become_user: "{{ new_user }}"
      register: new_user_test
      changed_when: false