From 094ad8c28db15b651281c944edeb270781071f0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jeremy.lecour@gmail.com>
Date: Sat, 7 Oct 2017 22:15:51 +0200
Subject: [PATCH] evolinux-base: improve AllowUsers for current user

---
 evolinux-base/tasks/ssh.yml | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/evolinux-base/tasks/ssh.yml b/evolinux-base/tasks/ssh.yml
index 20b93fed..9cec1bd2 100644
--- a/evolinux-base/tasks/ssh.yml
+++ b/evolinux-base/tasks/ssh.yml
@@ -41,11 +41,31 @@
   check_mode: no
   when: evolinux_ssh_allow_current_user
 
-- name: "Allow current user"
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "AllowUsers {{ logname.stdout }}"
-    insertafter: 'Subsystem'
+# we must double-escape caracters, because python
+- name: verify AllowUsers directive
+  shell: "egrep '^AllowUsers' /etc/ssh/sshd_config"
+  changed_when: False
+  failed_when: False
+  register: grep_allowusers_ssh
+  check_mode: no
   when: evolinux_ssh_allow_current_user
 
+- name: "Add AllowUsers sshd directive for current user"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowUsers {{ logname.stdout }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc != 0
+
+- name: "Modify AllowUsers sshd directive for current user"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!{{ logname.stdout }}).)*)$'
+    replace: '\1 {{ logname.stdout }}'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: evolinux_ssh_allow_current_user and grep_allowusers_ssh.rc == 0
+
 - meta: flush_handlers