---

- name: "Ensure '{{ create_username }}'"
  become: true
  ansible.builtin.user:
    name: "{{ create_username }}"
    password: "{{ create_pwgen | password_hash('sha512') }}"
    state: present
    shell: /bin/bash
    groups: "{{ created_users_groups[ansible_os_family] }}"
    append: true
    generate_ssh_key: false
    ssh_key_bits: 2048
    ssh_key_file: .ssh/id_rsa
    update_password: on_create
  register: user_created
  notify: print generated password

- name: Ensure 'sudo' package is installed
  become: true
  ansible.builtin.package: { name: sudo, state: present }

- name: Enable nopasswd sudo
  become: true
  ansible.builtin.lineinfile:
    dest: /etc/sudoers
    regexp: '^{{ create_username }}'
    line: "{{ create_username }}   ALL=(ALL:ALL) NOPASSWD:ALL"
    insertafter: '^%{{ sudo_group_by_fam[ansible_os_family] }}.*$'
    state: present
    validate: 'visudo -cf %s'

- name: "Copy '~/.ssh/id_*.pub' (on controller) to authorized_keys for '{{ create_username }}'"
  tags: ['keys']
  ansible.posix.authorized_key:
    user: "{{ create_username }}"
    state: present
    key: "{{ lookup('file', item) }}"
  with_fileglob:
    - "{{ '~/.ssh/id_*.pub' }}"
#  with_items:
#    - "{{ lookup('file','~/.ssh/id_ecdsa.pub') }}"
#    - "{{ lookup('file','~/.ssh/id_ecdsa_sk.pub') }}"
#    - "{{ lookup('file','~/.ssh/id_ed25519.pub') }}"