---
- hosts: "{{ host_list }}"
  become_method: sudo
  remote_user: "{{ my_user }}"

  tasks:
    - name: SUDO | Group sudo presence
      become: yes
      ansible.builtin.group:
        name: sudo
        state: present

    - name: SUDO | Group wheel absence
      become: yes
      ansible.builtin.group:
        name: wheel
        state: absent

    - name: SUDO | User presence (with groups)
      become: yes
      ansible.builtin.user:
        name: "{{ my_user }}"
        state: present
        groups: sudo
        append: true

    - name: SUDO | Reset ansible connection to apply group update
      become: yes
      meta: reset_connection

    - name: "SSH | Local public key is present for {{ my_user }}"
      become: yes
      ansible.builtin.authorized_key:
        comment: "Managed by Ansible from GitLab @free_zed"
        key: https://gitlab.com/free_zed.keys
        state: present
        user: "{{ my_user }}"

    - name: SSH | Disallow SSH password authentication for root
      become: yes
      copy:
        src: sshd_config
        dest: /etc/ssh/sshd_config

    - name: "SSH | Local public key is present for root"
      become: yes
      ansible.builtin.authorized_key:
        comment: "Managed by Ansible from GitLab @free_zed"
        key: https://gitlab.com/free_zed.keys
        state: present
        user: root

    - name: SSH | Remove no password directive
      become: yes
      ansible.builtin.lineinfile:
        path: /etc/sudoers
        state: absent
        regexp: 'NOPASSWD'
        validate: '/usr/sbin/visudo -cf %s'