---
  - name: ensure group exists
    become: true
    ansible.builtin.group:
      name: "{{ restic_user_group }}"
      state: present
    when:
      - restic_user_group is defined

  - name: ensure user exists
    become: true
    ansible.builtin.user:
      name: "{{ restic_user }}"
      group: "{{ restic_user_group }}"
      shell: /usr/sbin/nologin
    when:
      - restic_user_group is defined
      - restic_user is defined

  - name: add user to sudoers
    become: true
    ansible.builtin.blockinfile:
      path: /etc/sudoers
      state: present
      block:  |
        {{ restic_user }} ALL=(ALL) NOPASSWD:ALL
      validate: '/usr/sbin/visudo -cf %s'
      backup: yes
      marker_begin: restic-sudoers BEGIN
      marker_end: restic-sudoers END
    when:
      - restic_user_group is defined
      - restic_user is defined