---
# Generate SSH Keys for Admin Users

- name: Create local SSH keys directory on control node
  ansible.builtin.file:
    path: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}"
    state: directory
    mode: '0700'
  delegate_to: localhost
  run_once: false

- name: Generate SSH key pairs on control node
  community.crypto.openssh_keypair:
    path: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ item.username }}_id_{{ ssh_key_type }}"
    type: "{{ ssh_key_type }}"
    size: "{{ ssh_key_bits if ssh_key_type == 'rsa' else omit }}"
    comment: "{{ item.username }}@{{ inventory_hostname }}"
    state: present
  loop: "{{ admin_users }}"
  loop_control:
    label: "{{ item.username }}"
  when:
    - item.generate_keys | default(false)
    - item.state | default('present') == 'present'
  delegate_to: localhost
  run_once: false
  register: generated_keys

- name: Read generated public keys
  ansible.builtin.slurp:
    src: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ item.username }}_id_{{ ssh_key_type }}.pub"
  loop: "{{ admin_users }}"
  loop_control:
    label: "{{ item.username }}"
  when:
    - item.generate_keys | default(false)
    - item.state | default('present') == 'present'
  delegate_to: localhost
  run_once: false
  register: public_keys

- name: Add generated public keys to authorized_keys
  ansible.posix.authorized_key:
    user: "{{ item.item.username }}"
    key: "{{ item.content | b64decode }}"
    state: present
  loop: "{{ public_keys.results }}"
  loop_control:
    label: "{{ item.item.username }}"
  when:
    - not item.skipped | default(false)
    - item.content is defined

- name: Create SSH key summary file
  ansible.builtin.copy:
    dest: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/README.md"
    content: |
      # SSH Keys for {{ inventory_hostname }}
      
      Generated: {{ ansible_date_time.iso8601 }}
      
      ## Admin Users
      
      {% for user in admin_users %}
      {% if user.generate_keys | default(false) %}
      ### {{ user.username }}
      
      - **Private Key**: `{{ user.username }}_id_{{ ssh_key_type }}`
      - **Public Key**: `{{ user.username }}_id_{{ ssh_key_type }}.pub`
      - **Comment**: {{ user.username }}@{{ inventory_hostname }}
      
      **Usage**:
      ```bash
      # Copy private key to your machine
      scp {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ user.username }}_id_{{ ssh_key_type }} ~/.ssh/
      
      # Set correct permissions
      chmod 600 ~/.ssh/{{ user.username }}_id_{{ ssh_key_type }}
      
      # SSH to server
      ssh -i ~/.ssh/{{ user.username }}_id_{{ ssh_key_type }} {{ user.username }}@{{ inventory_hostname }}
      ```
      
      {% endif %}
      {% endfor %}
      
      ## Security Notes
      
      - Private keys are stored on the Ansible control node only
      - Public keys are deployed to the servers
      - Keep private keys secure and never commit to git
      - Rotate keys regularly (every 90 days recommended)
      
      ## Key Rotation
      
      To rotate keys:
      1. Generate new keys by re-running the playbook
      2. Test new keys work
      3. Remove old keys from authorized_keys
      4. Delete old private keys securely
    mode: '0600'
  delegate_to: localhost
  run_once: false
  when: admin_users | selectattr('generate_keys', 'defined') | selectattr('generate_keys') | list | length > 0