- name: Check if user '{{ iiab_admin_user }}' exists    # iiab-admin
  command: "id {{ iiab_admin_user | quote }}"    # quote to avoid ';' exploits
  register: user_info
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')

- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
  user:
    name: "{{ iiab_admin_user }}"
    #group: "{{ iiab_admin_user }}"     # Neither nec as 'USERGROUPS_ENAB yes'
    #groups: "{{ iiab_admin_user }}"    # is set in any modern /etc/login.defs
    shell: /bin/bash
    #password: "{{ iiab_admin_pwd_hash }}"    # 2020-10-14: DEPRECATED in favor
    #update_password: on_create    # of 'command: chpasswd' below.  See: #2570

- name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}'    # g0adm1n
  #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
  command: chpasswd    # Equiv to line above, but safer
  args:
    stdin: "{{ iiab_admin_user | quote }}:{{ iiab_admin_published_pwd | quote }}"
  when: user_info.rc != 0


# roles/2-common/tasks/packages.yml also installs sudo, but that's too late
- name: 'Install package: sudo'
  package:
    name: sudo

- name: Add user {{ iiab_admin_user }} to group sudo, for support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
  command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
  #user:
  #  name: "{{ iiab_admin_user }}"
  #  groups: sudo
  #  append: yes
  when: iiab_admin_can_sudo | bool

- name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
  command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
  when: not iiab_admin_can_sudo
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')


- name: Temporarily make file /etc/sudoers editable (0640)
  file:
    path: /etc/sudoers
    mode: 0640

- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log'
  lineinfile:
    path: /etc/sudoers
    regexp: logfile
    line: "Defaults     logfile = /var/log/sudo.log"

#- name: Lets {{ iiab_admin_user }} sudo without password
##- name: Lets wheel sudo without password
#  lineinfile:
#    path: /etc/sudoers
#    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
##    line: "%wheel ALL= NOPASSWD: ALL"

# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
#- name: Remove all lines that contain 'requiretty'
#  lineinfile:
#    path: /etc/sudoers
#    regexp: requiretty
#    state: absent

- name: End editing file /etc/sudoers -- protect it again (0440)
  file:
    path: /etc/sudoers
    mode: 0440