---
- name: Install SSH packages
  ansible.builtin.apt:
    name: "{{ ssh_packages }}"
    state: present
    update_cache: true

- name: Ensure admin groups exist
  ansible.builtin.group:
    name: "{{ item }}"
    state: present
  loop: "{{ ssh_admin_groups }}"

- name: Ensure admin users exist
  ansible.builtin.user:
    name: "{{ item.name }}"
    shell: "{{ item.shell | default('/bin/bash') }}"
    groups: "{{ item.groups | default([]) }}"
    append: true
    create_home: true
    state: present
  loop: "{{ ssh_admin_users }}"
  loop_control:
    label: "{{ item.name }}"

- name: Ensure .ssh directories exist
  ansible.builtin.file:
    path: "/home/{{ item.name }}/.ssh"
    state: directory
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: "0700"
  loop: "{{ ssh_admin_users }}"
  loop_control:
    label: "{{ item.name }}"

- name: Install SSH authorized key files
  ansible.builtin.copy:
    dest: "/home/{{ item.name }}/.ssh/authorized_keys"
    content: |
      {% for key in item.authorized_keys | default([]) %}
      {{ key }}
      {% endfor %}
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: "0600"
  loop: "{{ ssh_admin_users }}"
  loop_control:
    label: "{{ item.name }}"

- name: Harden sshd configuration
  ansible.builtin.template:
    src: sshd_config.j2
    dest: /etc/ssh/sshd_config.d/99-twirre.conf
    owner: root
    group: root
    mode: "0644"
  notify: Restart ssh