---
# remove user when remove variable is defined
- name: remove user
  user: state=absent remove=yes
        name={{ item.name }}
  when: item.state == 'absent'
  with_items:
  - "{{ users }}"

- name: Ensure all groups are present or absent
  group:
    name: '{{ item.name | default(item) }}'
    state: '{{ item.state | default("present") }}'
  with_items: '{{ user_groups }}'

- name: get bash's path
  command: which bash
  register: bash_path
  check_mode: no
  changed_when: false

- name: create user
  user:
    state: present
    name: "{{ item.username if item.username is defined else item.name }}"
    groups:
      - "{{ item.groups | default([]) | join(',')}}"
      - "{{ 'sudo,adm' if item.sudo is defined and item.sudo }}"
    append: true
    shell: '{{ item.shell | default(bash_path.stdout) }}'
    home: "{{ item.home | default('/home/' + (item.username | default(item.name))) }}"
  with_items:
  - "{{ users }}"
  when: item.state != 'absent'

- name: add user's authorized_keys
  authorized_key: user="{{ item.username if item.username is defined else item.name }}" manage_dir=true key="{{ item.public_key }}"
                  state=present exclusive=yes
  with_items:
  - "{{ users }}"
  when: item.state != 'absent' and item.public_key is defined

- name: add user to root's authorized_keys
  authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
                  state=present
  with_items:
  - "{{ users }}"
  when: item.state != 'absent' and item.public_key is defined and item.sudo is defined and item.sudo

- name: remove user from root's authorized_keys
  authorized_key: user="root" manage_dir=true key="{{ item.public_key }}"
                state=absent
  with_items:
  - "{{ users }}"
  when: item.state == 'absent' and item.public_key is defined

- name: create pve admin-group
  command:
    cmd: 'pveum groupadd admin -comment "System Administrators"'
  when: "'proxmox' in group_names"
  ignore_errors: True

- name: give pve admin-group privileges
  command:
    cmd: 'pveum aclmod / -group admin -role Administrator'
  when: "'proxmox' in group_names"

- name: create pve user
  command:
    cmd: 'pveum useradd {{ item.username if item.username is defined else item.name }}@pam'
  with_items:
  - "{{ users }}"
  when: item.state != 'absent' and 'proxmox' in group_names
  ignore_errors: True

- name: disable pve user
  command:
    cmd: 'pveum usermod {{ item.username if item.username is defined else item.name }}@pam -enable 0'
  with_items:
  - "{{ users }}"
  when: item.state == 'absent' and 'proxmox' in group_names
  ignore_errors: True

- name: add user to pve admin group
  command:
    cmd: 'pveum usermod {{ item.username if item.username is defined else item.name }}@pam -group admin'
  with_items:
  - "{{ users }}"
  when: item.state != 'absent' and 'proxmox' in group_names and item.sudo is defined and item.sudo