# eventually define authorized_keys_runner in inventory/group_vars/
  # do not enforce group (usually runner by default from terraform install-time & cloud-init)

  - name: runner user
    ansible.builtin.user:
      name: runner
      shell: /bin/bash
    diff: true

  - name: runner sudo config
    community.general.sudoers:
      name: runner
      user: runner
      runas: root
      commands: ALL
    diff: true

  - name: runner ssh dir
    ansible.builtin.file:
      path: /home/runner/.ssh
      state: directory
      owner: runner
      mode: 0700
    diff: true

  - name: runner authorized keys
    ansible.builtin.blockinfile:
      block: "{{authorized_keys_runner}}\n"
      path: /home/runner/.ssh/authorized_keys
      owner: runner
      mode: 0600
    diff: true