---
##########
# This playbook is expressly to load management ssh-keys on proxmox LXC containers
# that might not have SSH enabled.
#
- name: Bootstrap SSH on LXC Containers via Proxmox Host
  hosts: lxc_containers
  gather_facts: false
  vars:
    client_pub_key: "/root/.ssh/client_{{ CLIENT_SLUG }}.pub"

  tasks:
    - name: Find current node for VMID {{ vmid }}
      # We delegate to the first host in your proxmox_cluster group
      delegate_to: "{{ groups['proxmox_cluster'][0] }}"
      ansible.builtin.shell:
        cmd: "pvesh get /cluster/resources --type vm | grep -w '{{ vmid }}' | awk '{print $4}'"
      register: container_node
      changed_when: false

    - name: Set active host fact
      ansible.builtin.set_fact:
        active_pve_node: "{{ container_node.stdout | trim }}"

    - name: Configure LXC via PVE CLI
      delegate_to: "{{ active_pve_node }}"
      become: true
      block:
        - name: Ensure .ssh directory exists in LXC
          ansible.builtin.command:
            cmd: "pct exec {{ vmid }} -- mkdir -p /root/.ssh"

        - name: Push SSH key to LXC
          ansible.builtin.command:
            cmd: "pct push {{ vmid }} {{ client_pub_key }} /root/.ssh/authorized_keys --perms 600"

        - name: Set SSH permissions and restart
          ansible.builtin.command:
            cmd: >
              pct exec {{ vmid }} -- bash -c "
              chown root:root /root/.ssh/authorized_keys &&
              sed -i 's/^#?PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config &&
              sed -i 's/^#?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config &&
              systemctl restart ssh"