From f73667ea3c6755ffc9cebc81fcc94c73aa2c5904 Mon Sep 17 00:00:00 2001
From: Patrick Marchand <pmarchand+git@evolix.ca>
Date: Wed, 11 Sep 2019 11:53:51 -0400
Subject: [PATCH] Inline ssh_allow_user file

---
 evolinux-users/tasks/ssh.yml            | 47 +++++++++++++++++--------
 evolinux-users/tasks/ssh_allowusers.yml | 17 ---------
 2 files changed, 32 insertions(+), 32 deletions(-)
 delete mode 100644 evolinux-users/tasks/ssh_allowusers.yml

diff --git a/evolinux-users/tasks/ssh.yml b/evolinux-users/tasks/ssh.yml
index 0e352119..7a9907aa 100644
--- a/evolinux-users/tasks/ssh.yml
+++ b/evolinux-users/tasks/ssh.yml
@@ -47,6 +47,28 @@
     - ssh_allowgroups
     - not ssh_allowusers
 
+- name: "Add AllowUsers sshd directive with all users"
+  lineinfile:
+    dest: /etc/ssh/sshd_config
+    line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}"
+    insertafter: 'Subsystem'
+    validate: '/usr/sbin/sshd -t -f %s'
+  notify: reload sshd
+  when:
+    - grep_allowusers_ssh.rc == 0
+    - ssh_allowusers
+    - not ssh_allowgroups
+
+- name: "Append '{{ item.name }}' to AllowUsers sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(AllowUsers ((?!\b{{ item.name }}\b).)*)$'
+    replace: '\1 {{ item.name }}'
+    validate: '/usr/sbin/sshd -t -f %s'
+  with_dict: "{{ evolinux_users }}"
+  notify: reload sshd
+  when: grep_allowusers_ssh.rc != 0
+
 - name: "verify Match User directive"
   command: "grep -E '^Match User' /etc/ssh/sshd_config"
   changed_when: False
@@ -57,16 +79,7 @@
     - ssh_allowusers
     - not ssh_allowgroups
 
-- name: "Add AllowUsers sshd directive with all users"
-  lineinfile:
-    dest: /etc/ssh/sshd_config
-    line: "\nAllowUsers {{ evolinux_users|map(attribute='name')|join(',') }}"
-    insertafter: 'Subsystem'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-  when: grep_allowusers_ssh.rc == 0
-
-- name: "Add Match User sshd directive with '{{ user.name }}'"
+- name: "Add Match User sshd directive with all users"
   lineinfile:
     dest: /etc/ssh/sshd_config
     line: "\nMatch User {{ evolinux_users|map(attribute='name')|join(',') }}\n    PasswordAuthentication no"
@@ -75,11 +88,15 @@
   notify: reload sshd
   when: grep_matchuser_ssh == 0
 
-- include: ssh_allowusers.yml
-  vars:
-    user: "{{ item.value }}"
- with_dict: "{{ evolinux_users }}"
-  when: (grep_allowusers_ssh.rc != 0) or (grep_matchuser_ssh != 0)
+- name: "Append '{{ item.name }}' to Match User's sshd directive"
+  replace:
+    dest: /etc/ssh/sshd_config
+    regexp: '^(Match User ((?!{{ item.name }}).)*)$'
+    replace: '\1,{{ item.name }}'
+    validate: '/usr/sbin/sshd -t -f %s'
+  with_dict: "{{ evolinux_users }}"
+  notify: reload sshd
+  when: grep_matchuser_ssh.rc != 0
 
 - name: disable root login
   replace:
diff --git a/evolinux-users/tasks/ssh_allowusers.yml b/evolinux-users/tasks/ssh_allowusers.yml
deleted file mode 100644
index d6bd0154..00000000
--- a/evolinux-users/tasks/ssh_allowusers.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-- name: "Append '{{ user.name }}' to AllowUsers sshd directive"
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(AllowUsers ((?!\b{{ user.name }}\b).)*)$'
-    replace: '\1 {{ user.name }}'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd
-
-- name: "Append '{{ user.name }}' to Match User's sshd directive"
-  replace:
-    dest: /etc/ssh/sshd_config
-    regexp: '^(Match User ((?!{{ user.name }}).)*)$'
-    replace: '\1,{{ user.name }}'
-    validate: '/usr/sbin/sshd -t -f %s'
-  notify: reload sshd