users.yml

---
- hosts: all
  become: true
  remote_user: ansible
  #remote_user: tbowling

  vars_files: vault.yml
  vars:
    ansible_become_password: '{{ my_become_password }}'
    #ansible_become_password: "{{ install_password }}"

  roles:

  tasks:

    - name: Configure root
      ansible.builtin.user:
        name: root
        password_lock: true
        state: present

    - name: Add/configure user myadmin
      ansible.builtin.user:
        name: myadmin
        comment: My Admin
        groups: wheel
        append: true
        password: "{{ demo_password_encrypted }}"
        update_password: always
        state: present

    - name: Add/configure user tbowling
      ansible.builtin.user:
        name: tbowling
        comment: Terry Bowling
        groups: wheel
        append: true
        password: "{{ demo_password_encrypted }}"
        update_password: always
        state: present

    - name: Set authorized key took from file
      ansible.posix.authorized_key:
        user: "{{ item }}"
        state: present
        key: "{{ lookup('file', '/home/tbowling/.ssh/id_rsa_demo.pub') }}"
        exclusive: true
      loop:
        - root
        - ansible
        - myadmin
        - tbowling

##  Must do this last because become_password changes
    - name: Add/configure user ansible
      ansible.builtin.user:
        name: ansible
        groups: wheel
        append: true
        password: "{{ demo_password_encrypted }}"
        update_password: always
        state: present