---

# this check must be repeated for each user
# even if it's been done before
- name: verify AllowGroups directive
  ansible.builtin.command:
    cmd: "grep -Er '^AllowGroups' /etc/ssh"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowgroups_ssh
  when:
    - ansible_distribution_major_version is version('11', '<=')

- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
  ansible.builtin.lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowGroups {{ evolinux_ssh_group }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ansible_distribution_major_version is version('11', '<=')
    - grep_allowgroups_ssh.rc != 0

- name: "Append '{{ evolinux_ssh_group }}' to AllowGroups sshd directive"
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowGroups ((?!\b{{ evolinux_ssh_group }}\b).)*)$'
    replace: '\1 {{ evolinux_ssh_group }}'
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when:
    - ansible_distribution_major_version is version('11', '<=')
    - grep_allowgroups_ssh.rc == 0

- name: "Add AllowGroups sshd directive with '{{ evolinux_ssh_group }}'"
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
    line: "AllowGroups {{ evolinux_ssh_group }}"
    create: yes
    mode: "0644"
    validate: '/usr/sbin/sshd -t -f %s'
  when:
    - ansible_distribution_major_version is version('12', '>=')