---
# Create an user and add their SSH public keys
- name: Create user {{ user.name }} with no password
  user:
    name: "{{ user.name }}"
    shell: /bin/bash
    # See https://unix.stackexchange.com/questions/193066/how-to-unlock-account-for-public-key-ssh-authorization-but-not-for-password-aut/193131#193131
    password: '*'
    groups: "{{ user.groups | default(user_default_groups) }}"
    append: no
    state: present
    update_password: always

- name: Add SSH public keys for user {{ user.name }}
  authorized_key:
    user: "{{ user.name }}"
    state: present
    # we can pass multiple SSH keys, but they must be separated by newlines
    key: |
      {% for key_file in lookup('fileglob', user_ssh_key_path, wantlist=true) %}
      {{ lookup('file', key_file) }}
      {% endfor %}
    # remove obsolete keys
    exclusive: yes
  vars:
    user_ssh_key_path: ssh/{{ user.name }}/*.pub