---
- name: Secure and Configure a New LXC Container
  hosts: 'lxc' # Hosts or group defined in your inventory
  remote_user: root
  tasks:
    - name: 1.0. Create group 'homelab'
      ansible.builtin.group:
        name: homelab
        state: present

    - name: 1.1. Create user '{{ target_user }}' and add to groups
      ansible.builtin.user:
        name: '{{ target_user }}'
        shell: /bin/bash
        groups: sudo,homelab # Add to sudo and homelab
        append: yes # Ensure user is added to groups without removing existing ones
        state: present

    - name: 1.2. Allow '{{ target_user }}' to use sudo without a password
      ansible.builtin.copy:
        dest: /etc/sudoers.d/90-{{ target_user }}-nopasswd
        content: '{{ target_user }} ALL=(ALL) NOPASSWD: ALL'
        mode: '0440'
        validate: /usr/sbin/visudo -cf %s

    - name: 2. Set up authorized_keys for '{{ target_user }}'
      ansible.posix.authorized_key:
        user: '{{ target_user }}'
        key: "{{ item }}"
        state: present
        path: /home/{{ target_user }}/.ssh/authorized_keys
      loop: "{{ my_public_keys }}"
      # ansible.posix.authorized_key will create an .ssh directory with the correct permissions.

    - name: 3. Lock password for '{{ target_user }}'
      ansible.builtin.user:
        name: '{{ target_user }}'
        password_lock: yes

    - name: 4.0. Install required software
      ansible.builtin.apt:
        name:
          - software-properties-common
          - git
        state: present
        update_cache: yes

    - name: 4.1. Disallow root login over SSH
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PermitRootLogin'
        line: 'PermitRootLogin no'
        validate: /usr/sbin/sshd -t -f %s
      notify: restart sshd

    - name: 4.2. Disallow password authentication
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?PasswordAuthentication'
        line: 'PasswordAuthentication no'
        validate: /usr/sbin/sshd -t -f %s
      notify: restart sshd

    - name: 5.0. Create /opt/docker directory
      ansible.builtin.file:
        path: /opt/docker
        state: directory
        owner: '{{ target_user }}'
        group: homelab
        mode: '0775'

    - name: 5.1. Clone Docker repository into /opt/docker
      ansible.builtin.git:
        repo: 'http://10.0.0.108:3000/Homelab/Docker.git'
        dest: /opt/docker
        clone: yes
        update: yes
      become: true
      become_user: '{{ target_user }}'

  handlers:
    # This block will only run if at least one task sends a notification.
    # This prevents unnecessary service restarts.
    - name: 6. Restart sshd server
      listen: "restart sshd"
      ansible.builtin.service:
        name: sshd
        state: restarted