- name: Prepare global users
  block:
    - name: Ensure required groups exist
      ansible.builtin.group:
        name: "{{ item.name }}"
        state: "{{ item.state }}"
      loop: "{{ user_groups }}"

    - name: Allow passwordless sudo for certain groups
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: '^%wheel'
        line: '%wheel ALL=(ALL) NOPASSWD: ALL'
        validate: 'visudo -cf %s'
      when: 'item.sudo'
      loop: "{{ user_groups }}"

    - name: Create the users user
      ansible.builtin.user:
        name: "{{ item.name }}"
        shell: /bin/bash
        groups: "{% for grp in item.groups %}{{ grp }}{% if not loop.last %},{% endif %}{% endfor %}"
        append: false
        password:
      loop: "{{ users }}"

    - name: Set authorized keys for user
      ansible.posix.authorized_key:
        user: "{{ item.0.name }}"
        state: "{{ item.1.state }}"
        key: "{{ item.1.key }}"
      loop: "{{ users | subelements('ssh_keys') }}"