From e79455efaef85b23a2bc45c879e637728dacfb16 Mon Sep 17 00:00:00 2001
From: Patrick Marchand <pmarchand+git@evolix.ca>
Date: Wed, 11 Sep 2019 11:29:18 -0400
Subject: [PATCH] Add match user and allow user ssh statements with join.

If the statements are not there, we do not need to worry about manual edits.
---
 evolinux-users/tasks/ssh.yml            | 26 +++++++++++++++++++------
 evolinux-users/tasks/ssh_allowusers.yml | 22 ---------------------
 2 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index 52348c7a..0e352119 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -57,15 +57,29 @@
     - ssh_allowusers
     - not ssh_allowgroups
 
+- name: "Add AllowUsers sshd directive with all users"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when: grep_allowusers_ssh.rc == 0
+
+- name: "Add Match User sshd directive with '{{ user.name }}'"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n    PasswordAuthentication no"
+    insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when: grep_matchuser_ssh == 0
+
 - include: ssh_allowusers.yml
   vars:
     user: "{{ item.value }}"
-    - allow_users_present: "{{ grep_allowusers_ssh.rc == 0 }}"
-    - match_users_present: "{{ grep_matchuser_ssh.rc == 0 }}"
-  with_dict: "{{ evolinux_users }}"
-  when:
-    - ssh_allowusers
-    - not ssh_allowgroups
+ with_dict: "{{ evolinux_users }}"
+  when: (grep_allowusers_ssh.rc != 0) or (grep_matchuser_ssh != 0)
 
 - name: disable root login
   replace:
diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml
index 19b7d03e..d6bd0154 100644
--- a/evolinux-users/tasks/ssh_allowusers.yml
+++ b/evolinux-users/tasks/ssh_allowusers.yml
@@ -1,15 +1,5 @@
 ---
 
-- name: "Add AllowUsers sshd directive with '{{ user.name }}'"
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nAllowUsers {{ user.name }}"
-    insertafter: 'Subsystem'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: not allow_users_present or not added_allow_user.changed
-  register: added_allow_user
-
 - name: "Append '{{ user.name }}' to AllowUsers sshd directive"
   replace:
     dest: /etc/ssh/sshd_config
@@ -17,17 +7,6 @@
     replace: '\1 {{ user.name }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: allow_users_present or added_allow_user.changed
-
-- name: "Add Match User sshd directive with '{{ user.name }}'"
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
-    insertafter: "# END EVOLINUX PASSWORD RESTRICTIONS BY ADDRESS"
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: not match_users_present or not added_match_user.changed
-  register: added_match_user
 
 - name: "Append '{{ user.name }}' to Match User's sshd directive"
   replace:
@@ -36,4 +15,3 @@
     replace: '\1,{{ user.name }}'
     validate: '/usr/sbin/sshd -t -f %s'
   notify: reload sshd
-  when: match_users_present or added_match_user.changed