- block:
  - include_vars: "{{ playbook_dir ~ '/vault/user_provisioning' }}"
  # Atmen : slave, servant
  - name: Add provisioning user "atmen" for ansible
    ansible.builtin.user:
      name: atmen
      comment: Ansible provisioner
      groups: sudo
      append: yes
      shell: /bin/bash
      password: "{{ vault_atmen_password | password_hash('sha512') }}"

  - name: Set authorized key for atmen
    ansible.posix.authorized_key:
      user: atmen
      state: present
      key: "{{ lookup('file', atmen_ssh_key_host_path) }}"

  - name: Add maintainer user
    ansible.builtin.user:
      name: "{{ vault_maintainer_user }}"
      comment: Maintainer user
      groups: sudo
      append: yes
      shell: /bin/bash
      password: "{{ vault_maintainer_password | password_hash('sha512') }}"

  - name: Set authorized key for maintainer user
    ansible.posix.authorized_key:
      user: "{{ vault_maintainer_user }}"
      state: present
      key: "{{ lookup('file', maintainer_ssh_key_host_path) }}"

  - name: Disable root login
    ansible.builtin.user:
      name: root
      password: '*'

  - name: Disable SSH login for creator
    ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      line: DenyUsers creator
      state: present

  - name: Disable password login
    lineinfile:
      dest: "/etc/ssh/sshd_config"
      regexp: '^(#\s*)?PasswordAuthentication '
      line: "PasswordAuthentication no"
    notify: restart sshd

  - name: Change SSH port
    lineinfile:
      dest: "/etc/ssh/sshd_config"
      regexp: "^Port "
      line: "Port {{ sshd_port }}"
    notify: restart sshd
    changed_when: true

  become: yes