---
# First-run playbook executed as root before deploy user exists
# ansible-playbook playbooks/bootstrap.yml -u root
- name: Bootstrap server
  hosts: servers
  become: false
  remote_user: root

  tasks:
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600

    - name: Install essential packages
      ansible.builtin.apt:
        name:
          - python3
          - python3-pip
          - sudo
          - curl
          - git
        state: present

    - name: Create deploy group
      ansible.builtin.group:
        name: deploy
        state: present

    - name: Create deploy user
      ansible.builtin.user:
        name: deploy
        group: deploy
        groups: sudo
        shell: /bin/bash
        create_home: true
        state: present

    - name: Set up authorized keys for deploy user
      ansible.posix.authorized_key:
        user: deploy
        state: present
        key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"

    - name: Allow deploy user passwordless sudo
      ansible.builtin.lineinfile:
        path: /etc/sudoers.d/deploy
        line: "deploy ALL=(ALL) NOPASSWD:ALL"
        create: true
        mode: "0440"
        validate: "visudo -cf %s"