---
  - name: User "{{ admin_user }}" anlegen
    ansible.builtin.user:
      name: "{{ admin_user }}"
      shell: /bin/bash
      state: present
    register: admin_user_result

  - name: .ssh‑Verzeichnis anlegen
    ansible.builtin.file:
      path: "/home/{{ admin_user }}/.ssh"
      state: directory
      owner: "{{ admin_user }}"
      group: "{{ admin_user }}"
      mode: "0700"
    when: admin_user_result.changed

  - name: Public‑Keys von URL holen
    ansible.builtin.uri:
      url: "{{ admin_ssh_pub_key_url }}"
      return_content: yes
    delegate_to: localhost
    register: fetched_keys

  - name: Liste der einzelnen Keys erstellen
    ansible.builtin.set_fact:
      key_list: "{{ fetched_keys.content.splitlines() }}"

  - name: authorized_keys anlegen (falls nicht vorhanden)
    ansible.builtin.file:
      path: "/home/{{ admin_user }}/.ssh/authorized_keys"
      state: touch
      owner: "{{ admin_user }}"
      group: "{{ admin_user }}"
      mode: "0600"

  - name: Jeden Key einzeln mit authorized_key hinzufügen
    ansible.builtin.authorized_key:
      user: "{{ admin_user }}"
      key: "{{ item | trim }}"
      state: present
    loop: "{{ key_list }}"
    when: item | trim != ""

  - name: Passwordless‑sudo für alle Befehle konfigurieren
    ansible.builtin.copy:
      dest: "/etc/sudoers.d/{{ admin_user }}"
      content: |
        {{ admin_user }} ALL=(ALL) NOPASSWD: ALL
      owner: root
      group: root
      mode: "0440"