---
- hosts: all

  gather_facts: no

  serial: 1

  vars:
    # List(!) of SSH keys for authorized_keys. Set here or in group_vars/all.yml
    #ssh_keys: []
    #
    # root password, default: "root"
    #root_password: root
    #
    # Normal user account (with sudo)
    #service_username: service
    #service_password: {{ service_username }}
    #service_ssh_keys: {{ ssh_keys }}

    cmdline_python:
      alpine:
        - "apk add -U python3"
      centos: &cmdline_python_centos
        - "yum clean all"
        - "yum makecache"
        - "yum install -y python3 || true"
      debian: &cmdline_python_debian
        - "apt-get -y update"
        - "apt-get install -y python3 python3-apt"
      devuan: *cmdline_python_debian
      fedora: *cmdline_python_centos
      opensuse:
        - "zypper --gpg-auto-import-keys --no-gpg-checks -n refresh"
        - "zypper --gpg-auto-import-keys --no-gpg-checks -n install python3"
      ubuntu: *cmdline_python_debian
      voidlinux:
        - "xbps-install -Suy python3 libgcc"

    ssh_package_name:
      alpine: openssh
      opensuse: openssh
      voidlinux: openssh

    ssh_service_name:
      devuan: ssh

    user_shell:
      alpine: /bin/ash



  tasks:

    - name: End for non-LXContainer
      meta: end_host
      when: inventory_hostname in groups.lxc_hosts


    - name: Create LXContainer
      lxc_container:
        name: "{{ inventory_hostname }}"
        state: started
        template: download
        template_options: "-a amd64 -d {{ os_d }} -r {{ os_r }} --no-validate"
        config: /etc/lxc/ansible.conf
      register: lxc_created
      delegate_to: "{{ ansible_host|default('localhost') }}"


    - pause:
        seconds: 10
      when: lxc_created is changed


    - name: Raw-Install Python
      raw: "{{ item }}"
      loop: "{{ cmdline_python[os_d] }}"


    - setup:


    - name: Set root password
      shell: "echo root:{{ root_password|default('root') }} | chpasswd -c SHA256"


    - name: Add SSH keys
      authorized_key:
        user: root
        key: "{{ item }}"
      loop: "{{ ssh_keys }}"


    - name: "[BLOCK] when 'service_username' is set"
      when: service_username is defined
      block:

        - name: 'Add normal user "{{ service_username }}"'
          user:
            name: "{{ service_username }}"
            shell: "{{ user_shell[os_d]|default('/bin/bash') }}"


        - name: 'Set password for user "{{ service_username }}"'
          shell: "echo {{ service_username }}:{{ service_password|default(service_username) }} | chpasswd -c SHA256"


        - name: Add SSH keys
          authorized_key:
            user: "{{ service_username }}"
            key: "{{ item }}"
          loop: "{{ ssh_keys_service|default(ssh_keys) }}"


        - name: Install sudo
          package:
            name: sudo


        - name: Add sudo line for service
          lineinfile:
            path: /etc/sudoers
            regexp: "^service"
            line: "{{ service_username }} ALL=(ALL:ALL) NOPASSWD: ALL"
            backup: yes


    - name: Install SSH
      package:
        name: "{{ ssh_package_name[os_d]|default('openssh-server') }}"
        state: latest


    - name: "Set «PermitRootLogin» to «yes»"
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^#? *PermitRootLogin'
        line: "PermitRootLogin yes"
        backup: yes
      notify: "Restart SSH"


    - name: Enable SSH
      service:
        name: "{{ ssh_service_name[os_d]|default('sshd') }}"
        enabled: yes


    - name: Start SSH
      service:
        name: "{{ ssh_service_name[os_d]|default('sshd') }}"
        state: started
      ignore_errors: yes



  handlers:

    - name: Restart SSH
      service:
        name: "{{ ssh_service_name[os_d]|default('sshd') }}"
        state: restarted