---
- name: Validate SSH key rotation inputs
  ansible.builtin.assert:
    that:
      - item.name is defined
      - item.home is defined
      - (item.state | default('present')) in ['present', 'absent']
      - (item.state | default('present')) == 'absent' or (item.keys is defined and item.keys | length > 0)
    fail_msg: >-
      Each entry in debian_ssh_rotation_users must include name, home, and either:
      state=absent, or keys with at least one SSH public key.
  loop: "{{ debian_ssh_rotation_users }}"
  loop_control:
    label: "{{ item.name | default('unknown') }}"

- name: Ensure ~/.ssh exists for managed users
  ansible.builtin.file:
    path: "{{ item.home }}/.ssh"
    state: directory
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: "0700"
  loop: "{{ debian_ssh_rotation_users }}"
  loop_control:
    label: "{{ item.name }}"
  when: (item.state | default('present')) == 'present'

- name: Rotate authorized_keys for managed users
  ansible.builtin.copy:
    dest: "{{ item.home }}/.ssh/authorized_keys"
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: "0600"
    content: |
      {% for key in item.keys %}
      {{ key }}
      {% endfor %}
  loop: "{{ debian_ssh_rotation_users }}"
  loop_control:
    label: "{{ item.name }}"
  when: (item.state | default('present')) == 'present'

- name: Remove authorized_keys for users marked absent
  ansible.builtin.file:
    path: "{{ item.home }}/.ssh/authorized_keys"
    state: absent
  loop: "{{ debian_ssh_rotation_users }}"
  loop_control:
    label: "{{ item.name }}"
  when: (item.state | default('present')) == 'absent'