---

- name: Set or unset root password
  block:
  - name: Set root password
    ansible.builtin.user:
      name: root
      password: "{{ root.password | password_hash('sha512') }}"
      password_lock: false
    when: root.password is defined and root.password | length > 0 and root.password != "!"
    no_log: true

  - name: Update ansible_become_pass
    ansible.builtin.set_fact:
      ansible_become_pass: "{{ root.password }}"
    when: root.password is defined and root.password | length > 0 and root.password != "!"
    no_log: true

  - name: Lock root login
    ansible.builtin.user:
      name: root
      password_lock: true
    when: root.password is defined and root.password | length <= 0

- name: Create .ssh directory
  ansible.builtin.file:
    path: "/root/.ssh"
    state: directory
    owner: "root"
    group: "root"
    mode: "0700"

- name: "Create authorized_keys file"
  ansible.builtin.template:
    src: root/.ssh/authorized_keys.j2
    dest: "/root/.ssh/authorized_keys"
    owner: "root"
    group: "root"
    mode: "0600"
  when: root.ssh is defined and
        root.ssh.authorized_keys is defined and
        root.ssh.authorized_keys | length > 0

- name: "Remove authorized_keys file"
  ansible.builtin.file:
    path: "/root/.ssh/authorized_keys"
    state: absent
  when: root.ssh is defined and
        root.ssh.authorized_keys is defined and
        root.ssh.authorized_keys | length <= 0 or
        root.ssh is defined and
        root.ssh.authorized_keys is not defined or
        root.ssh is not defined

- name: "Generate private and public SSH key"
  when: root.ssh is defined and
        (
          root.ssh.private_keys is not defined or
          root.ssh.private_keys | length <= 0
        )
  block:
  - name: "Check if private SSH key already exists"
    ansible.builtin.stat:
      path: "/root/.ssh/{{ inventory_hostname_short }}.key"
    register: stat_result
  - name: "Generate private SSH key"
    community.crypto.openssh_keypair:
      path: "/root/.ssh/{{ inventory_hostname_short }}.key"
      type: ed25519
      size: 512
      state: present
      comment: "root@{{ inventory_hostname_short }}"
      force: false
    when: not stat_result.stat.exists

- name: "Create private and public SSH key"
  when: root.ssh is defined and
        root.ssh.private_keys is defined and
        root.ssh.private_keys | length > 0
  block:
  - name: "Create private SSH keys"
    ansible.builtin.copy:
      src: "{{ playbook_dir }}/ssh/private_keys/{{ item }}"
      dest: "/root/.ssh/{{ item }}"
      owner: "root"
      group: "root"
      mode: "0600"
    with_items:
    - "{{ root.ssh.private_keys }}"

  - name: "Extract public SSH keys from private keys"
    ansible.builtin.shell:
    args:
      executable: /bin/bash
      cmd: "ssh-keygen -y -f /root/.ssh/{{ item }} > /root/.ssh/{{ item }}.pub"
    register: _root_ssh_pub_key_extraction
    changed_when: _root_ssh_pub_key_extraction.rc == 0
    failed_when: _root_ssh_pub_key_extraction.rc > 0
    with_items:
    - "{{ root.ssh.private_keys }}"

- name: "Create custom SSH client config"
  ansible.builtin.template:
    src: root/.ssh/config.j2
    dest: /root/.ssh/config
    owner: "root"
    group: "root"
    mode: "0644"
  when: root.ssh.config is defined and root.ssh.config | length >= 0

- name: "Remove custom SSH client config"
  ansible.builtin.file:
    path: "/root/.ssh/config"
    state: absent
  when: root.ssh.config is not defined