---
- name: Ensure deploy group exists
  ansible.builtin.group:
    name: "{{ deploy_group }}"
    state: present

- name: Ensure deploy user exists
  ansible.builtin.user:
    name: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    groups: sudo
    shell: /bin/bash
    create_home: true
    state: present

- name: Ensure deploy user has passwordless sudo
  ansible.builtin.lineinfile:
    path: "/etc/sudoers.d/{{ deploy_user }}"
    line: "{{ deploy_user }} ALL=(ALL) NOPASSWD:ALL"
    create: true
    mode: "0440"
    validate: "visudo -cf %s"

- name: Add CI deploy public key to authorized_keys
  ansible.posix.authorized_key:
    user: "{{ deploy_user }}"
    state: present
    key: "{{ ci_deploy_pubkey }}"