---
- name: Deploy SSH keys
  ansible.posix.authorized_key:
    user: ansible
    key: "{{ item }}"
  loop: "{{ keys2deploy }}"

- name: Allow sudo without password for ansible
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/95-lmn-ansible
    line: 'ansible ALL=(root) NOPASSWD: ALL'
    create: True
    owner: root
    group: root
    mode: '0700'

- name: Disable ansible user login
  ansible.builtin.user:
    name: ansible
    password_lock: True

- name: Limit SSH access to user ansible
  ansible.builtin.blockinfile:
    dest: /etc/ssh/sshd_config.d/local.conf
    create: true
    block: |
      PasswordAuthentication no
      AllowUsers ansible
  notify: Reload sshd