---
# SSH Authorized Keys Management
# Deploys authorized_keys to all ubuntu hosts based on ssh_authorized_users variable
#
# Usage:
#   ansible-playbook auth_keys.yml
#
# Override exclusive mode (removes unlisted keys):
#   ansible-playbook auth_keys.yml -e "ssh_exclusive_mode=true"
#
# Target specific host:
#   ansible-playbook auth_keys.yml --limit ariel.incus
#
# Variables defined in: inventory/group_vars/all/auth_keys.yml

- name: Manage SSH Authorized Keys
  hosts: ubuntu
  become: true

  tasks:
    - name: Ensure .ssh directory exists for each user
      ansible.builtin.file:
        path: "/home/{{ item.name }}/.ssh"
        state: directory
        mode: '0700'
        owner: "{{ item.name }}"
        group: "{{ item.name }}"
      loop: "{{ ssh_authorized_users }}"
      loop_control:
        label: "{{ item.name }}"

    - name: Deploy authorized keys (additive mode)
      ansible.posix.authorized_key:
        user: "{{ item.0.name }}"
        key: "{{ item.1 }}"
        state: present
        exclusive: false
      loop: "{{ ssh_authorized_users | subelements('keys') }}"
      loop_control:
        label: "{{ item.0.name }}: {{ item.1 | truncate(50) }}"
      when: not ssh_exclusive_mode

    - name: Deploy authorized keys (exclusive mode)
      ansible.posix.authorized_key:
        user: "{{ item.name }}"
        key: "{{ item.keys | join('\n') }}"
        state: present
        exclusive: true
      loop: "{{ ssh_authorized_users }}"
      loop_control:
        label: "{{ item.name }}"
      when: ssh_exclusive_mode