---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Ensure root has a .ssh directory
  ansible.builtin.file:
    path: /root/.ssh
    state: directory
    owner: root
    group: root
    mode: "0700"
  tags:
    - ssh-key-dir

- name: Check for existing ssh private key file
  ansible.builtin.stat:
    path: /root/.ssh/id_rsa
  register: ssh_key_private
  tags:
    - ssh-key-check

- name: Check for existing ssh public key file
  ansible.builtin.stat:
    path: /root/.ssh/id_rsa.pub
  register: ssh_key_public
  tags:
    - ssh-key-check

- name: Remove an existing private/public ssh keys if one is missing
  ansible.builtin.file:
    path: "/root/.ssh/{{ item }}"
    state: absent
  when: not ssh_key_public.stat.exists or not ssh_key_private.stat.exists
  with_items:
    - 'id_rsa'
    - 'id_rsa.pub'
  tags:
    - ssh-key-clean

- name: Create ssh key pair for root
  ansible.builtin.user:
    name: root
    generate_ssh_key: true
    ssh_key_bits: 2048
    ssh_key_file: /root/.ssh/id_rsa
  tags:
    - ssh-key-generate

- name: Fetch the generated public ssh key
  ansible.builtin.fetch:
    src: "/root/.ssh/id_rsa.pub"
    dest: "/tmp/id_rsa.pub"
    flat: true
  when: inventory_hostname == groups['all'][0]
  tags:
    - ssh-key-authorized

- name: Ensure root's new public ssh key is in authorized_keys
  ansible.posix.authorized_key:
    user: root
    key: "{{ lookup('file', '/tmp/id_rsa.pub') }}"
    manage_dir: false
  tags:
    - ssh-key-authorized