From f0ecc79696e390d47c502b8db9b9c6d54b0e0475 Mon Sep 17 00:00:00 2001
From: Jeremy Dubois <jdubois@evolix.fr>
Date: Wed, 5 Jan 2022 11:16:18 +0100
Subject: [PATCH] accounts: use "evobsd_internal_group" for SSH authentication

---
 CHANGELOG                     | 2 ++
 roles/accounts/tasks/main.yml | 7 ++++++-
 roles/accounts/tasks/user.yml | 8 ++++++++
 vars/main.yml                 | 1 +
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5602196..9c91acd 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -11,6 +11,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- accounts: use "evobsd_internal_group" for SSH authentication
+
 ### Fixed
 
 ### Removed
diff --git a/roles/accounts/tasks/main.yml b/roles/accounts/tasks/main.yml
index 1b097c3..45503a1 100644
--- a/roles/accounts/tasks/main.yml
+++ b/roles/accounts/tasks/main.yml
@@ -1,4 +1,9 @@
 ---
+- name: "Create {{ evobsd_internal_group }} group"
+  group:
+    name: "{{ evobsd_internal_group }}"
+    system: true
+
 - name: "Create {{ evobsd_ssh_group }} group"
   group:
     name: "{{ evobsd_ssh_group }}"
@@ -69,7 +74,7 @@
     block: |
       Match Address {{ evolix_trusted_ips | join(',') }}
           PasswordAuthentication yes
-      Match Group {{ evobsd_ssh_group }}
+      Match Group {{ evobsd_internal_group }}
           PasswordAuthentication no
     insertafter: EOF
     validate: '/usr/sbin/sshd -t -f %s'
diff --git a/roles/accounts/tasks/user.yml b/roles/accounts/tasks/user.yml
index b0965f9..ef27a5b 100644
--- a/roles/accounts/tasks/user.yml
+++ b/roles/accounts/tasks/user.yml
@@ -38,6 +38,14 @@
   tags:
     - admin
 
+- name: "Add {{ user.name }} to {{ evobsd_internal_group }} group"
+  user:
+    name: "{{ user.name }}"
+    groups: "{{ evobsd_internal_group }}"
+    append: true
+  tags:
+    - admin
+
 - name: "Add {{ user.name }} to {{ evobsd_ssh_group }} group"
   user:
     name: "{{ user.name }}"
diff --git a/vars/main.yml b/vars/main.yml
index 053f791..c7d6de7 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -23,6 +23,7 @@
 # evomaintenance_urgency_from: mama.doe@example.com
 # evomaintenance_urgency_tel: "06.00.00.00.00"
 #
+# evobsd_internal_group: "foo"
 # evobsd_ssh_group: "foo-ssh"
 # evobsd_sudo_group: "foo-sudo"
 #