- name: Create a group of users that will be able to use sudo without typing in their passwords.
  ansible.builtin.group:
    name: sudo-nopassword
  become: true

- name: Grant the group to run commands with root privileges.
  community.general.sudoers:
    name: sudo-nopassword
    group: sudo-nopassword
    commands: ALL
    nopassword: true
  become: true

- name: Create accounts for system users
  ansible.builtin.user:
    name: "{{ item.username }}"
    comment: "{{ item.comment }}"
    state: present
    append: false
  loop: "{{ shell_users }}"
  become: true

- name: Add a public SSH key to all of the user accounts for the devops people.
  ansible.posix.authorized_key:
    user: "{{ item.username }}"
    key: "{{ item.public_ssh_key }}"
  loop: "{{ shell_users }}"
  become: true
  ignore_errors: "{{ ansible_check_mode }}"

- name: Remove all user accounts that have been revoked.
  ansible.builtin.user:
    name: "{{ item }}"
    state: absent
  loop: "{{ revoked_shell_users }}"
  become: true