#
# eventually run from workstation to create runner user for gitlab-runner-ansible to connect with
#
#   ansible-playbook tasks-ansible.yml -i NEW-SERVER, -e become-true --check
#   ansible-playbook tasks-ansible.yml -i NEW-SERVER, -e become=true
#

- name: early sysprep for ansible runner
  gather_facts: no
  hosts: all
  become: "{{become}}"
  tasks:

  - name: Add runner user
    user:
      name: runner
      group: users

  - name: Allow runner sudo
    community.general.sudoers:
      name: runner-by-ansible
      user: runner
      runas: root
      commands: ALL

  - name: Add ssh dir
    file:
      path: /home/runner/.ssh
      state: directory
      owner: runner
      group: users
      mode: 0700

  - name: runner's authorized keys
    ansible.builtin.blockinfile:
      path: /home/runner/.ssh/authorized_keys
      block: "{{ lookup('file', 'templates/blockinfile_runner_authorized_keys') }}"
      prepend_newline: true
      append_newline: true
      create: true
      owner: runner
      group: users
      mode: 0600
    when: "lookup('file', 'templates/blockinfile_runner_authorized_keys') != []"
    diff: true