From 707aabb404355979bd173070ec1048d1d7caed55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Lecour?= <jeremy.lecour@gmail.com>
Date: Tue, 10 Oct 2017 21:59:43 +0200
Subject: [PATCH] evolinux-base : remove root from AllowUsers directive

when disabling root login, also remove it from AllowUsers if present
---
 evolinux-base/tasks/root.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/evolinux-base/tasks/root.yml b/evolinux-base/tasks/root.yml
index 4c66324a..71cb9f3d 100644
--- a/evolinux-base/tasks/root.yml
+++ b/evolinux-base/tasks/root.yml
@@ -88,4 +88,13 @@
   notify: reload sshd
   when: evolinux_root_disable_ssh
 
+- name: remove root from AllowUsers directive
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
+    replace: '\1\4'
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: reload sshd
+  when: evolinux_root_disable_ssh
+
 - meta: flush_handlers