infrastructure/roles/archusers/tasks/main.yml

- name: Create Arch Linux-specific groups
  group: name="{{ item }}" state=present system=no
  loop: "{{ arch_groups }}"

- name: Filter arch_users for users with non-matching hosts
  set_fact: arch_users_filtered="{{ (arch_users_filtered | default([])) + [item] }}"
  when: item.value.hosts is not defined or inventory_hostname in item.value.hosts
  loop: "{{ arch_users | dict2items }}"

- name: Create Arch Linux-specific users
  ansible.builtin.user:
    name: "{{ item.key }}"
    group: users
    groups: "{{ item.value.groups | join(',') }}"
    comment: "{{ item.value.name }}"
    shell: "{{ shell_override | default(item.value.shell | default('/bin/bash')) }}"
    password: ""
    update_password: on_create
    state: present
  loop: "{{ arch_users_filtered }}"

- name: Create .ssh directory
  file: path=/home/{{ item.key }}/.ssh state=directory owner={{ item.key }} group=users mode=0700
  loop: "{{ arch_users_filtered }}"

- name: Configure ssh keys
  template: src=authorized_keys.j2 dest=/home/{{ item.key }}/.ssh/authorized_keys owner={{ item.key }} group=users mode=0600
  when: item.value.ssh_key is defined
  loop: "{{ arch_users_filtered }}"

- name: Remove ssh keys if undefined
  file: path=/home/{{ item.key }}/.ssh/authorized_keys state=absent
  when: item.value.ssh_key is not defined
  loop: "{{ arch_users_filtered }}"

- name: Get list of remote users
  find: paths="/home" file_type="directory"
  register: all_users

- name: Disable ssh keys of disabled users
  file: path="/home/{{ item }}/.ssh/authorized_keys" state=absent
  when:
    - item not in (arch_users_filtered | map(attribute='key'))
    - item not in (utility_users[inventory_hostname] | default([]))
  loop: "{{ all_users.files | map(attribute='path') | map('basename') | list }}"