---
- ansible.builtin.debug:
    msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, some configuration elements won't be set!"
  when: evolinux_ssh_password_auth_addresses == []

- name: files under /etc/ssh/sshd_config.d are included
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    line: "Include /etc/ssh/sshd_config.d/*.conf"
    insertbefore: BOF
  notify: reload ssh

- name: add SSH server configuration template
  ansible.builtin.template:
    src: sshd/defaults.j2
    dest: /etc/ssh/sshd_config.d/z-evolinux-defaults.conf
    mode: "0644"

# Should we allow the current user?
- name: Allow the current user
  block:
  - name: "Get current user's login"
    ansible.builtin.command:
      cmd: logname
    changed_when: False
    register: _logname
    check_mode: no

  - name: verify AllowUsers directive
    ansible.builtin.command:
      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
    failed_when: False
    changed_when: False
    register: grep_allowusers_ssh
    check_mode: no

  - name: verify AllowGroups directive
    ansible.builtin.command:
      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' /etc/ssh/sshd_config /etc/ssh/sshd_config.d"
    failed_when: False
    changed_when: False
    register: grep_allowgroups_ssh
    check_mode: no

  # If we have AllowUsers but not AllowGroups, append the user to the list
  # (in the first file where we found the directive)

  - name: "Append user to existing AllowUsers sshd directive"
    ansible.builtin.replace:
      dest: "{{ grep_allowusers_ssh.stdout_lines[0] }}"
      regexp: '^(AllowUsers ((?!{{ _logname.stdout }}).)*)$'
      replace: '\1 {{ _logname.stdout }}'
      validate: '/usr/sbin/sshd -t -f %s'
    notify: reload sshd
    when:
      - grep_allowusers_ssh.rc == 0
      - grep_allowgroups_ssh.rc != 0

  # If we have AllowGroups but not AllowUsers, add the user to the group and append the group to the list
  # (in the first file where we found the directive)

  - name: "Append evolinux ssh group to AllowGroups sshd directive"
    ansible.builtin.replace:
      dest: "{{ grep_allowgroups_ssh.stdout_lines[0] }}"
      regexp: '^(AllowGroups ((?!{{ evolinux_ssh_group }}).)*)$'
      replace: '\1 {{ evolinux_ssh_group }}'
      validate: '/usr/sbin/sshd -t -f %s'
    notify: reload sshd
    when:
      - grep_allowusers_ssh.rc != 0
      - grep_allowgroups_ssh.rc == 0
  
  - name: "evolinux ssh group is present"
    ansible.builtin.group:
      name: "{{ evolinux_ssh_group }}"
    when:
      - grep_allowusers_ssh.rc != 0
      - grep_allowgroups_ssh.rc == 0
  
  - name: "Add current user to evolinux ssh group"
    ansible.builtin.user:
      name: "{{ _logname.stdout }}"
      group: "{{ evolinux_ssh_group }}"
      append: yes
    when:
      - grep_allowusers_ssh.rc != 0
      - grep_allowgroups_ssh.rc == 0

  # If we don't have AllowGroups nor AllowUsers, do nothing

  when: evolinux_ssh_allow_current_user | bool

- ansible.builtin.meta: flush_handlers