---
# Create Admin Users

- name: Create admin user accounts
  ansible.builtin.user:
    name: "{{ item.username }}"
    comment: "{{ item.comment | default(item.username) }}"
    groups: "{{ item.groups | default(['sudo']) }}"
    append: yes
    shell: "{{ item.shell | default('/bin/bash') }}"
    create_home: yes
    state: "{{ item.state | default('present') }}"
  loop: "{{ admin_users }}"
  loop_control:
    label: "{{ item.username }}"

- name: Set password policies for admin users
  ansible.builtin.shell: |
    chage -M {{ password_max_days }} -m {{ password_min_days }} -W {{ password_warn_age }} -I {{ password_inactive_days }} {{ item.username }}
  loop: "{{ admin_users }}"
  loop_control:
    label: "{{ item.username }}"
  when: item.state | default('present') == 'present'
  changed_when: false

- name: Configure authorized SSH keys for admin users
  ansible.posix.authorized_key:
    user: "{{ item.0.username }}"
    key: "{{ item.1 }}"
    state: present
    exclusive: no
  loop: "{{ admin_users | subelements('authorized_keys', skip_missing=True) }}"
  loop_control:
    label: "{{ item.0.username }}"
  when: 
    - item.0.state | default('present') == 'present'
    - item.0.authorized_keys is defined
    - item.0.authorized_keys | length > 0

- name: Ensure .ssh directory exists for admin users
  ansible.builtin.file:
    path: "/home/{{ item.username }}/.ssh"
    state: directory
    owner: "{{ item.username }}"
    group: "{{ item.username }}"
    mode: '0700'
  loop: "{{ admin_users }}"
  loop_control:
    label: "{{ item.username }}"
  when: item.state | default('present') == 'present'

- name: Set umask for admin users
  ansible.builtin.lineinfile:
    path: "/home/{{ item.username }}/.bashrc"
    line: "umask {{ default_umask }}"
    create: yes
    owner: "{{ item.username }}"
    group: "{{ item.username }}"
    mode: '0644'
  loop: "{{ admin_users }}"
  loop_control:
    label: "{{ item.username }}"
  when: item.state | default('present') == 'present'