- name:
  hosts: webservers
  vars_files:
    - vars/users_vars.yml
  tasks:
    - name: create webadmin group
      group:
        name: webadmin
        state: present
    - name: create user account
      user:
        name: "{{ item.username }}"
        groups: "{{ item.groups }}"
      loop: "{{ users }}"
    - name: add authorized keys
      authorized_key:
        user: "{{ item.username }}"
        key: "{{ lookup('file', 'files/'+item.username + '.key.pub') }}"
      loop: "{{ users  }}"
    - name: modify sudoers
      copy:
        content: "%webadmin ALL=(ALL) NOPASSWD: ALL"
        dest: /etc/sudoers.d/webadmin
        mode: 0440
    - name: disable root ssh login 
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^PermitRootLogin"
        line: "PermitRootLogin no"
      notify: Restart sshd

  handlers:
    - name: Restart sshd
      service:
        name: sshd
        state: restarted