---
- name: 1. Secure and Configure a New LXC Container
  hosts: 'new' # Target hosts in the [new] group
  remote_user: root # Connect as root, as defined in the inventory for this group
  gather_facts: no
  vars:
    target_user: mbuz
    my_public_keys:
      - "{{ lookup('file', '/home/mbuz/.ssh/id_ed25519.pub') }}"
  tasks:
    - name: Create user '{{ target_user }}'
      ansible.builtin.user:
        name: '{{ target_user }}'
        shell: /bin/bash
        groups: sudo
        state: present

    - name: Allow '{{ target_user }}' to use sudo without a password
      ansible.builtin.copy:
        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
        mode: '0440'
        validate: /usr/sbin/visudo -cf %s

    - name: Set up authorized_keys for '{{ target_user }}'
      ansible.posix.authorized_key:
        user: '{{ target_user }}'
        key: "{{ item }}"
        state: present
        path: /home/{{ target_user }}/.ssh/authorized_keys
      loop: "{{ my_public_keys }}"

    - name: Lock password for '{{ target_user }}'
      ansible.builtin.user:
        name: '{{ target_user }}'
        password_lock: yes

    - name: Disallow root login over SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin no'
        validate: /usr/sbin/sshd -t -f %s
      notify: restart sshd

    - name: Disallow password authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
        validate: /usr/sbin/sshd -t -f %s
      notify: restart sshd

  handlers:
    - name: Restart sshd server
      listen: "restart sshd"
      ansible.builtin.service:
        name: sshd
        state: restarted

# --- Move host from NEW to LXC group ---
- name: 2. Graduate Host from [new] to [lxc] in Inventory
  hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - name: Remove host from the [new] group
      ansible.builtin.lineinfile:
        path: /opt/ansible/inventory/hosts.ini
        regexp: "^{{ item }}\\s" # Match the start of the line with the hostname
        state: absent
      loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group

    - name: Add host to the [lxc] group
      ansible.builtin.blockinfile:
        path: /opt/ansible/inventory/hosts.ini
        block: |
          {{ item }} ansible_host={{ hostvars[item]['ansible_host'] }}
        insertafter: "[lxc]"
        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR LXC"
      loop: "{{ groups['new'] }}" # Loop over all hosts in the 'new' group