---
- hosts: production
  gather_facts: no       # This is helpful if a new EC2 instance is to be provisioned
  become: yes

  vars:
  - default_users: ['nobody']
  - required_users: ['badshah', 'bob', 'alice']

  tasks:
  - name: Check python
    raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
    changed_when: false

  - name: Get list of all users
    shell: "getent passwd | awk -F: '$3 > 1000 {print $1}'"
    changed_when: false
    register: users

  - name: Remove all users
    user:
      name: "{{ item }}"
      state: absent
      remove: yes
    with_items: "{{ users.stdout_lines }}"
    when: item not in default_users

  - name: Add required users
    user:
      name: "{{ item }}"
      state: present
    with_items: "{{ required_users }}"

  - name: Add SSH public keys
    authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', 'keys/{{ item }}') }}"
    with_items: "{{ required_users }}"