Improve syntax of accounts role and fix missing tags

roles/accounts/tasks/main.yml

@@ -1,18 +1,14 @@
 ---
-- name: "Create {{ evobsd_internal_group }} group"
+- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
   group:
-    name: "{{ evobsd_internal_group }}"
+    name: "{{ item }}"
-    system: true
-
-- name: "Create {{ evobsd_ssh_group }} group"
-  group:
-    name: "{{ evobsd_ssh_group }}"
-    system: true
-
-- name: "Create {{ evobsd_sudo_group }} group"
-  group:
-    name: "{{ evobsd_sudo_group }}"
     system: true
+  with_items:
+    - "{{ evobsd_internal_group }}"
+    - "{{ evobsd_ssh_group }}"
+    - "{{ evobsd_sudo_group }}"
+  tags:
+    - admin
 
 - name: Create user accounts
   include: user.yml
@@ -20,6 +16,8 @@
     user: "{{ item.value }}"
   with_dict: "{{ evolix_users }}"
   when: evolix_users != {}
+  tags:
+    - admin
 
 - name: verify AllowGroups directive
   command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
@@ -27,6 +25,8 @@
   failed_when: false
   check_mode: false
   register: grep_allowgroups_ssh
+  tags:
+    - admin
 
 - name: verify AllowUsers directive
   command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
@@ -34,16 +34,22 @@
   failed_when: false
   check_mode: false
   register: grep_allowusers_ssh
+  tags:
+    - admin
 
 - name: "Check that AllowUsers and AllowGroup do not override each other"
   assert:
     that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
     msg: "We can't deal with AllowUsers and AllowGroups at the same time"
+  tags:
+    - admin
 
 - name: "If AllowGroups is present then use it"
   set_fact:
     ssh_allowgroups:
       "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
+  tags:
+    - admin
 
 - name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
   lineinfile:
@@ -55,6 +61,8 @@
   when:
     - ssh_allowgroups
     - grep_allowgroups_ssh.rc == 1
+  tags:
+    - admin
 
 - name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
   replace:
@@ -66,6 +74,8 @@
   when:
     - ssh_allowgroups
     - grep_allowgroups_ssh.rc == 0
+  tags:
+    - admin
 
 - name: "Security directives for EvoBSD"
   blockinfile:
@@ -81,6 +91,8 @@
   notify: reload sshd
   when:
     - evolix_trusted_ips != []
+  tags:
+    - admin
 
 - name: "Disable root login"
   replace:
@@ -88,3 +100,5 @@
     regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
     replace: "PermitRootLogin no"
   notify: reload sshd
+  tags:
+    - admin

roles/accounts/tasks/user.yml

@@ -4,6 +4,8 @@
     state: present
     name: "{{ user.name }}"
     gid: "{{ user.uid }}"
+  tags:
+    - admin
 
 - name: "User '{{ user.name }}' is present"
   user:
@@ -25,6 +27,8 @@
     owner: "{{ user.name }}"
     group: "{{ user.name }}"
     state: directory
+  tags:
+    - admin
 
 - name: "SSH public keys for '{{ user.name }}' are present"
   authorized_key:
@@ -38,26 +42,14 @@
   tags:
     - admin
 
-- name: "Add {{ user.name }} to {{ evobsd_internal_group }} group"
+- name: "Add {{ user.name }} to {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
   user:
     name: "{{ user.name }}"
-    groups: "{{ evobsd_internal_group }}"
+    groups: "{{ item }}"
-    append: true
-  tags:
-    - admin
-
-- name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
-  user:
-    name: "{{ user.name }}"
-    groups: "{{ evobsd_ssh_group }}"
-    append: true
-  tags:
-    - admin
-
-- name: "Add {{ user.name }} to {{ evobsd_sudo_group }} group"
-  user:
-    name: "{{ user.name }}"
-    groups: "{{ evobsd_sudo_group }}"
     append: true
+  with_items:
+    - "{{ evobsd_internal_group }}"
+    - "{{ evobsd_ssh_group }}"
+    - "{{ evobsd_sudo_group }}"
   tags:
     - admin