---
- name: Create a user with SSH access and optional groups
  hosts: all
  become: true
  gather_facts: false

  vars:
    username: "{{ username }}"
    authorized_key: "{{ authorized_key }}"
    extra_groups: "{{ extra_groups | default('') }}"
    extra_groups_list: "{{ extra_groups.split(',') | map('trim') | list if extra_groups else [] }}"
    default_shell: "{{ default_shell | default('/bin/bash') }}"

  tasks:
    - name: Ensure each extra group exists
      ansible.builtin.group:
        name: "{{ item }}"
        state: present
      loop: "{{ extra_groups_list }}"
      when: extra_groups_list | length > 0

    - name: Ensure user account exists
      ansible.builtin.user:
        name: "{{ username }}"
        shell: "{{ default_shell }}"
        groups: "{{ extra_groups_list }}"
        append: true
        create_home: true
        state: present

    - name: Set authorized SSH key
      ansible.builtin.authorized_key:
        user: "{{ username }}"
        key: "{{ authorized_key }}"
        state: present