---
- name: Add user 'tps' with sudo ability and SSH key
  hosts: servers
  become: true

  vars_prompt:
    - name: tps_password
      prompt: "Enter the password for 'tps' user:"
      private: yes

  tasks:
    - name: Create the 'tps' user
      user:
        name: tps
        state: present
        shell: /bin/bash
        createhome: yes

    - name: Set password for 'tps' user
      ansible.builtin.shell: echo "tps:{{ tps_password | password_hash('sha512', 'mysecretsalt') }}" | chpasswd

    - name: Generate RSA SSH key pair for 'tps' user (if not already generated)
      ansible.builtin.shell: ssh-keygen -t rsa -b 4096 -C "tps@{{ ansible_hostname }}" -f "/home/tps/.ssh/id_rsa" creates="/home/tps/.ssh/id_rsa"

    - name: Set appropriate permissions for 'tps' user's SSH directory
      ansible.builtin.file:
        path: /home/tps/.ssh
        state: directory
        mode: "0700"
        owner: tps
        group: tps

    - name: Read the public key content
      ansible.builtin.slurp:
        src: /home/tps/.ssh/id_rsa.pub
      register: public_key_file

    - name: Add 'tps' user to sudoers
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        line: 'tps ALL=(ALL:ALL) ALL'
        validate: 'visudo -cf %s'

    - name: Add the public key to Gitea using the API with the access token
      ansible.builtin.uri:
        url: "https://gitea.hptrow.me/api/v1/user/keys"
        method: POST
        headers:
          Authorization: "a3b03005781823a4fc0c4b435269408d94e0e2f8"
          Content-Type: "application/json"
        body_format: json
        body:
          title: "tps-{{ ansible_hostname }}"
          key: "{{ public_key_file.content | b64decode }}"
        status_code: 201
      delegate_to: localhost