---
# Create Harper User Account
# Creates the harper user on all ubuntu hosts and deploys SSH authorized keys
#
# Usage:
#   ansible-playbook adduser_harper.yml
#
# Target specific host:
#   ansible-playbook adduser_harper.yml --limit ariel.incus

- name: Create Harper User Account
  hosts: ubuntu
  become: true

  vars:
    harper_user:
      name: harper
      comment: "Harper - Autonomous Agent"
      shell: /bin/bash
      groups:
        - sudo

  tasks:
    - name: Create harper user account
      ansible.builtin.user:
        name: "{{ harper_user.name }}"
        comment: "{{ harper_user.comment }}"
        shell: "{{ harper_user.shell }}"
        groups: "{{ harper_user.groups }}"
        append: true
        create_home: true
        state: present

    - name: Ensure .ssh directory exists for harper
      ansible.builtin.file:
        path: "/home/{{ harper_user.name }}/.ssh"
        state: directory
        mode: '0700'
        owner: "{{ harper_user.name }}"
        group: "{{ harper_user.name }}"

    - name: Get harper keys from ssh_authorized_users
      ansible.builtin.set_fact:
        harper_keys: "{{ ssh_authorized_users | selectattr('name', 'equalto', 'harper') | map(attribute='keys') | first | default([]) }}"

    - name: Deploy authorized keys for harper
      ansible.posix.authorized_key:
        user: "{{ harper_user.name }}"
        key: "{{ item }}"
        state: present
        exclusive: false
      loop: "{{ harper_keys }}"
      loop_control:
        label: "{{ item | truncate(50) }}"
      when: harper_keys | length > 0

    - name: Configure passwordless sudo for harper
      ansible.builtin.lineinfile:
        path: /etc/sudoers.d/harper
        line: "harper ALL=(ALL) NOPASSWD:ALL"
        create: true
        mode: '0440'
        validate: "visudo -cf %s"