- name: Bootstrap SSH access
  hosts: all
  become: true

  tasks:
    - name: Ensure .ssh directory exists
      file:
        path: "/home/{{ bootstrap_user }}/.ssh"
        state: directory
        owner: "{{ container_user }}"
        group: "{{ container_group }}"
        mode: "0700"

    - name: Install authorized key
      authorized_key:
        user: "{{ bootstrap_user }}"
        state: present
        key: "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}"

    - name: Allow passwordless sudo
      copy:
        dest: /etc/sudoers.d/{{ bootstrap_user }}
        content: "{{ bootstrap_user }} ALL=(ALL) NOPASSWD:ALL\n"
        mode: "0440"