# SPDX-FileCopyrightText: 2023 Max Mehl <https://mehl.mx>
#
# SPDX-License-Identifier: Apache-2.0

---
# Handle cases in which password variable is undefined or empty
- name: Disable password login for user unless empty password allowed for user {{ username }}
  when:
    - password is not defined or
      password|length == 0
    - not allow_no_password
  ansible.builtin.set_fact:
    password_value: "*"

- name: Allow login without password as it is explicitely allowed for user {{ username }}
  when:
    - password is not defined or
      password|length == 0
    - allow_no_password
  ansible.builtin.set_fact:
    password_value: ""

- name: Hash provided password for user {{ username }}
  when:
    # Non-empty password has been provided
    - password is defined
    # None of the special cases has been handled before
    - password_value is not defined
  block:
    - name: Create idempotent salt for {{ username }}'s password
      set_fact:
        salt: "{{ ((username + inventory_hostname) | hash('sha512'))[:16] }}"

    - name: Encrypt password for user {{ username }}
      shell: python3 -c 'import crypt; print(crypt.crypt("{{ password }}", "$6${{ salt }}"))'
      register: username_shadowpw
      changed_when: false

    - name: Set password value fact for user {{ username }}
      ansible.builtin.set_fact:
        password_value: "{{ username_shadowpw.stdout }}"

- name: "Ensure user is configured correctly: {{ username }}"
  ansible.builtin.user:
    name: "{{ username }}"
    password: "{{ password_value }}"
    shell: "{{ shell }}"
    # SSH
    generate_ssh_key: "{{ generate_ssh_key }}"
    ssh_key_type: "{{ ssh_key_type }}"
    # Groups
    groups: "{{ user_groups }}"
    append: "{{ groups_append }}"