---
- name: "Create new user account"
  block:
    - name: Show which user account is being handled
      debug:
        msg: "Attempting to create account for {{ user.username }}..."

    - name: Check if the user accounts already exists
      getent:
        database: passwd
        key: "{{ user.username }}"
      register: user_exists
      ignore_errors: true

    - name: Prepare password store entry
      become: false
      delegate_to: localhost
      command: "pass init -p users/{{ user.username }}/sudo/ {{ item.email }}"
      when: user_exists is failed
      tags:
        - molecule-notest

    - name: Create a new user account with a new password
      user:
        name: "{{ user.username }}"
        uid: "{{ user.uid }}"
        shell: /bin/bash
        password: "{{ lookup('passwordstore', 'users/{{ user.username }}/sudo/{{ inventory_hostname }} create=true length={{ pass_length }}') | password_hash('sha512') }}"
        groups: "{{ user_groups }}"
        append: true
        update_password: always
      when: user_exists is failed
      tags:
        - molecule-notest

    - name: Make sure the user's .ssh directory exists
      file:
        path: "/home/{{ user.username }}/.ssh"
        state: directory
        owner: "{{ user.username }}"
        group: "{{ user.username }}"
        mode: "0700"

    - name: Add new member's SSH key to authorized_keys file
      blockinfile:
        path: "/home/{{ user.username }}/.ssh/authorized_keys"
        block: "{{ user.ssh_key }}"
        state: present
        create: true
        mode: "0600"
        owner: "{{ user.username }}"
        group: "{{ user.username }}"

    - name: "Add username to the SSH AllowUsers configuration"
      replace:
        backup: true
        dest: /etc/ssh/sshd_config
        regexp: '^(AllowUsers(?!.*\b{{ user.username }}\b).*)$'
        replace: '\1 {{ user.username }}'
      notify: Restart SSH