---
- name: Bootstrap Ansible SSH access from pvef to Slurm nodes
  hosts: slurm_cluster
  gather_facts: false
  become: true

  vars:
    ansible_controller_pubkey: "{{ lookup('file', lookup('env', 'HOME') + '/.ssh/id_ed25519.pub') }}"

  pre_tasks:
    - name: Wait for SSH
      ansible.builtin.wait_for_connection:
        timeout: 30

    - name: Install Python if missing - Debian/Ubuntu
      ansible.builtin.raw: |
        test -e /usr/bin/python3 || (apt-get update && apt-get install -y python3)
      changed_when: false

  tasks:
    - name: Ensure sudo is installed
      ansible.builtin.apt:
        name:
          - sudo
          - openssh-server
        state: present
        update_cache: true

    - name: Ensure SSH server is enabled and running
      ansible.builtin.service:
        name: ssh
        state: started
        enabled: true

    - name: Ensure .ssh directory exists for login user
      ansible.builtin.file:
        path: "/home/{{ ansible_user }}/.ssh"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: "0700"

    - name: Add pvef root public key to login user's authorized_keys
      ansible.builtin.authorized_key:
        user: "{{ ansible_user }}"
        key: "{{ ansible_controller_pubkey }}"
        state: present
        manage_dir: true

    - name: Allow bootstrap login user passwordless sudo
      ansible.builtin.copy:
        dest: "/etc/sudoers.d/90-ansible-{{ ansible_user }}"
        owner: root
        group: root
        mode: "0440"
        content: |
          {{ ansible_user }} ALL=(ALL) NOPASSWD:ALL
        validate: "visudo -cf %s"