---
- name: Ensure backupagent user exists
  ansible.builtin.user:
    name: "{{ backupagent.name }}"
    shell: "{{ backupagent.shell }}"
    create_home: true
    state: present

- name: Ensure backupagent SSH directory exists
  ansible.builtin.file:
    path: "/home/{{ backupagent.name }}/.ssh"
    state: directory
    owner: "{{ backupagent.name }}"
    group: "{{ backupagent.name }}"
    mode: "0700"

- name: Install backupagent authorized keys
  ansible.builtin.copy:
    dest: "/home/{{ backupagent.name }}/.ssh/authorized_keys"
    content: |
      {% for key in backupagent.authorized_keys %}
      {{ key }}
      {% endfor %}
    owner: "{{ backupagent.name }}"
    group: "{{ backupagent.name }}"
    mode: "0600"

- name: Allow passwordless sudo for backup rsync
  ansible.builtin.template:
    src: backupagent-sudoers.j2
    dest: /etc/sudoers.d/backupagent-rsync
    owner: root
    group: root
    mode: "0440"
    validate: /usr/sbin/visudo -cf %s

- name: Restrict SSH settings for backupagent
  ansible.builtin.template:
    src: backupagent-sshd-match.conf.j2
    dest: /etc/ssh/sshd_config.d/60-backupagent.conf
    owner: root
    group: root
    mode: "0644"
  notify: Restart ssh after backupagent change