- name: Ensure latest apt cache
  ansible.builtin.apt:
    update_cache: yes
    cache_valid_time: 3600 # 1 hour

- name: Upgrade all packages
  ansible.builtin.apt:
    upgrade: dist

- name: Install common packages
  ansible.builtin.apt:
    name:
      - curl
      - wget
      - htop
      - git
      - rsync
      - nfs-common # If you plan to mount NFS shares
    state: present

- name: Create new admin user
  ansible.builtin.user:
    name: "{{ admin.name }}"
    groups: "{{ admin.groups }}"
    shell: "{{ admin.shell }}"
    state: present
    create_home: yes
    append: yes # Ensures other groups don't get removed
  when: admin.name is defined and admin.name | length > 0

- name: Add SSH keys for new admin user
  ansible.posix.authorized_key:
    user: "{{ admin.name }}"
    state: present
    key: "{{ item }}"
  loop: "{{ admin.ssh_keys }}"
  when:
    - admin.name is defined
    - admin.name | length > 0
    - admin.ssh_keys is defined
    - admin.ssh_keys | length > 0
# - name: Disable root SSH login (optional, but recommended)
#   ansible.builtin.lineinfile:
#     path: /etc/ssh/sshd_config
#     regexp: '^PermitRootLogin'
#     line: 'PermitRootLogin no'
#     state: present
#   notify: Restart sshd
#   when: new_admin_user is defined and new_admin_user | length > 0