---
- name: "Create {{ evobsd_internal_group }} group"
  group:
    name: "{{ evobsd_internal_group }}"
    system: true

- name: "Create {{ evobsd_ssh_group }} group"
  group:
    name: "{{ evobsd_ssh_group }}"
    system: true

- name: "Create {{ evobsd_sudo_group }} group"
  group:
    name: "{{ evobsd_sudo_group }}"
    system: true

- name: Create user accounts
  include: user.yml
  vars:
    user: "{{ item.value }}"
  with_dict: "{{ evolix_users }}"
  when: evolix_users != {}

- name: verify AllowGroups directive
  command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
  changed_when: false
  failed_when: false
  check_mode: false
  register: grep_allowgroups_ssh

- name: verify AllowUsers directive
  command: "grep -E '^AllowUsers' /etc/ssh/sshd_config"
  changed_when: false
  failed_when: false
  check_mode: false
  register: grep_allowusers_ssh

- name: "Check that AllowUsers and AllowGroup do not override each other"
  assert:
    that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
    msg: "We can't deal with AllowUsers and AllowGroups at the same time"

- name: "If AllowGroups is present then use it"
  set_fact:
    ssh_allowgroups:
      "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0) }}"

- name: "Add AllowGroups sshd directive with '{{ evobsd_ssh_group }}'"
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowGroups {{ evobsd_ssh_group }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 1

- name: "Append '{{ evobsd_ssh_group }}' to AllowGroups sshd directive"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowGroups ((?!\b{{ evobsd_ssh_group }}\b).)*)$'
    replace: '\1 {{ evobsd_ssh_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ssh_allowgroups
    - grep_allowgroups_ssh.rc == 0

- name: "Security directives for EvoBSD"
  blockinfile:
    dest: /etc/ssh/sshd_config
    marker: "# {mark} EVOBSD PASSWORD RESTRICTIONS"
    block: |
      Match Address {{ evolix_trusted_ips | join(',') }}
          PasswordAuthentication yes
      Match Group {{ evobsd_internal_group }}
          PasswordAuthentication no
    insertafter: EOF
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - evolix_trusted_ips != []

- name: "Disable root login"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
  notify: reload sshd