# yamllint disable rule:line-length
---
- name: "Create {{ evobsd_internal_group }}, {{ evobsd_ssh_group }}, {{ evobsd_sudo_group }} group"
  ansible.builtin.group:
    name: "{{ item }}"
    system: true
  with_items:
    - "{{ evobsd_internal_group }}"
    - "{{ evobsd_ssh_group }}"
    - "{{ evobsd_sudo_group }}"
  tags:
    - accounts
    - admin

- name: "Create user accounts"
  include: user.yml
  vars:
    user: "{{ item.value }}"
  with_dict: "{{ evolix_users }}"
  when:
    - user.create == evobsd_users_create
    - evolix_users != {}
  tags:
    - accounts
    - admin
    - users

- name: "Verify AllowGroups directive"
  ansible.builtin.command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
  changed_when: false
  failed_when: false
  check_mode: false
  register: grep_allowgroups_ssh
  tags:
    - accounts
    - admin

- name: "Verify AllowUsers directive"
  ansible.builtin.command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
  changed_when: false
  failed_when: false
  check_mode: false
  register: grep_allowusers_ssh
  tags:
    - accounts
    - admin

- name: "Check that AllowUsers and AllowGroup do not override each other"
  ansible.builtin.assert:
    that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
    msg: "We can't deal with AllowUsers and AllowGroups at the same time"
  tags:
    - accounts
    - admin

- name: "If AllowGroups is present then use it"
  ansible.builtin.set_fact:
    ssh_allowgroups:
      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"
  tags:
    - accounts
    - admin

- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowGroups {{ evobsd_ssh_group }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 1
  tags:
    - accounts
    - admin

- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
    replace: '\1 {{ evobsd_ssh_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 0
  tags:
    - accounts
    - admin

- name: "Security directives for EvoBSD"
  ansible.builtin.blockinfile:
    dest: /etc/ssh/sshd_config
    marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
    block: |
      Match Address {{ evolix_trusted_ips | join(',') }}
          PasswordAuthentication yes
      Match Group {{ evobsd_internal_group }}
          PasswordAuthentication no
    insertafter: EOF
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - evolix_trusted_ips != []
  tags:
    - accounts
    - admin

- name: "Disable root login"
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin\s+(yes|without-password|prohibit-password)'
    replace: "PermitRootLogin {{ evobsd_root_login }}"
  notify: reload sshd
  tags:
    - accounts
    - admin