- name: Ensure sudo is available
  ansible.builtin.apt:
    state: present
    update_cache: true
    pkg:
      - sudo
      - zsh
- name: Create webadmin user
  ansible.builtin.user:
    name: webadmin
    state: present
    shell: /bin/zsh
    groups:
      - nginx
    append: true
- name: Copy webadmin public key
  ansible.posix.authorized_key:
    user: webadmin
    state: present
    key: "{{ lookup('file', 'files/webadmin.pem.pub') }}"
- name: Add webadmin to sudoers
  ansible.builtin.copy:
    dest: "/etc/sudoers.d/webadmin"
    content: "webadmin ALL=(ALL) NOPASSWD: ALL"
    mode: "0644"
    owner: root
    group: root
- name: Disable Password Authentication
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: PasswordAuthentication no
    state: present
    backup: true
  notify:
    - Restart SSH
- name: Disable root login
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: PermitRootLogin no
    state: present
    backup: true
  notify:
    - Restart SSH