---
- name: Setup autossh-tunnel user for SSH tunneling
  hosts: all
  become: true

  tasks:
    - name: Create SSH configuration for autossh-tunnel
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/autossh-tunnel.conf
        content: |
          # Custom autossh-tunnel Settings
          Match User autossh-tunnel
            AllowTcpForwarding yes
            PubkeyAuthentication yes
            PasswordAuthentication no
            AllowAgentForwarding no
            ForceCommand /bin/false
            X11Forwarding no
        owner: root
        group: root
        mode: '0644'
        validate: /usr/sbin/sshd -t -f %s

    - name: Add autossh-tunnel user
      ansible.builtin.user:
        name: autossh-tunnel
        comment: "autossh-tunnel user"
        uid: 33333
        group: nogroup
        home: /home/autossh-tunnel
        shell: /bin/false
        create_home: yes
        system: yes

    - name: Setup authorized_keys for autossh-tunnel
      ansible.builtin.blockinfile:
        path: /home/autossh-tunnel/.ssh/authorized_keys
        create: yes
        block: |
          {{ ssh_pub_key }} autossh-tunnel
        owner: autossh-tunnel
        group: nogroup
        mode: '0600'

    - name: Set permissions for .ssh directory
      ansible.builtin.file:
        path: /home/autossh-tunnel/.ssh
        state: directory
        owner: autossh-tunnel
        group: nogroup
        mode: '0700'