---

# Unix account

- fail:
    msg: "You must provide a value for the 'user.name ' variable."
  when: (user.name is not defined) or (user.name | length == 0)

- fail:
    msg: "You must provide a value for the 'user.uid ' variable."
  when: (user.uid is not defined) or (user.uid | string | length == 0)

- name: "Test if '{{ user.name }}' exists"
  command: 'id -u "{{ user.name }}"'
  register: get_id_from_login
  failed_when: False
  changed_when: False
  check_mode: no

- name: "Test if uid '{{ user.uid }}' exists"
  command: 'id -un -- "{{ user.uid }}"'
  register: get_login_from_id
  failed_when: False
  changed_when: False
  check_mode: no

# Error if
# the uid already exists
# and the user associated with this uid is not the desired user
- name: "Fail if uid already exists for another user"
  fail:
    msg: "Uid '{{ user.uid }}' is already used by '{{ get_login_from_id.stdout }}'. You must change uid for '{{ user.name }}'"
  when:
    - get_login_from_id.rc == 0
    - get_login_from_id.stdout != user.name

# Create/Update the user account with defined uid if
# the user doesn't already exist and the uid isn't already used
# or the user exists with the defined uid
- name: "Unix account for '{{ user.name }}' is present (with uid '{{ user.uid }}')"
  user:
    state: present
    uid: '{{ user.uid }}'
    name: '{{ user.name }}'
    comment: '{{ user.fullname }}'
    shell: /bin/bash
    password: '{{ user.password_hash }}'
    update_password: "on_create"
  when:
    - (get_id_from_login.rc != 0 and get_login_from_id.rc != 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout == user.name)

# Create/Update the user account without defined uid if
# the user doesn't already exist but the defined uid is already used
# or another user already exists with a the same uid
- name: "Unix account for '{{ user.name }}' is present (with random uid)"
  user:
    state: present
    name: '{{ user.name }}'
    comment: '{{ user.fullname }}'
    shell: /bin/bash
    password: '{{ user.password_hash }}'
    update_password: "on_create"
  when:
    - (get_id_from_login.rc != 0 and get_login_from_id.rc == 0) or (get_id_from_login.rc == 0 and get_login_from_id.stdout != user.name)

- name: Is /etc/aliases present?
  stat:
    path: /etc/aliases
  register: etc_aliases

- name: Set mail alias
  lineinfile:
    state: present
    dest: /etc/aliases
    line: '{{ user.name }}: root'
    regexp: '^{{ user.name }}:'
  when: etc_aliases.stat.exists
  notify: "newaliases"

# Unix groups

## Group for SSH authorizations

- name: "Unix group '{{ evolinux_ssh_group }}' is present (Debian 10 or later)"
  group:
    name: "{{ evolinux_ssh_group }}"
    state: present
  when: ansible_distribution_major_version is version('10', '>=')

- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_ssh_group }}' (Debian 10 or later)"
  user:
    name: '{{ user.name }}'
    groups: "{{ evolinux_ssh_group }}"
    append: yes
  when: ansible_distribution_major_version is version('10', '>=')

## Optional group for all evolinux users

- name: "Unix group '{{ evolinux_internal_group }}' is present (Debian 9 or later)"
  group:
    name: "{{ evolinux_internal_group }}"
    state: present
  when:
    - evolinux_internal_group is defined
    - evolinux_internal_group | length > 0
    - ansible_distribution_major_version is version('9', '>=')

- name: "Unix user '{{ user.name }}' belongs to group '{{ evolinux_internal_group }}' (Debian 9 or later)"
  user:
    name: '{{ user.name }}'
    groups: "{{ evolinux_internal_group }}"
    append: yes
  when:
    - evolinux_internal_group is defined
    - evolinux_internal_group | length > 0
    - ansible_distribution_major_version is version('9', '>=')

## Optional secondary groups, defined per user

- name: "Secondary Unix groups are present"
  group:
    name: "{{ group }}"
  loop: "{{ user.groups }}"
  loop_control:
    loop_var: group
  when:
    - user.groups is defined
    - user.groups | length > 0

- name: "Unix user '{{ user.name }}' belongs to secondary groups"
  user:
    name: '{{ user.name }}'
    groups: "{{ user.groups | join(',') }}"
    append: yes
  when:
    - user.groups is defined
    - user.groups | length > 0

# Permissions on home directory

- name: "Home directory for '{{ user.name }}' is not accessible by group and other users"
  file:
    name: '/home/{{ user.name }}'
    mode: "0700"
    state: directory

# Evomaintenance

- name: Search profile for presence of evomaintenance
  command: 'grep -q "trap.*sudo.*evomaintenance.sh" /home/{{ user.name }}/.profile'
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_profile_evomaintenance

## Don't add the trap if it is present or commented
- name: "User '{{ user.name }}' has its shell trap for evomaintenance"
  lineinfile:
    state: present
    dest: '/home/{{ user.name }}/.profile'
    insertafter: EOF
    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
  when: grep_profile_evomaintenance.rc != 0

# SSH keys

- name: "SSH directory for '{{ user.name }}' is present"
  file:
    dest: '/home/{{ user.name }}/.ssh/'
    state: directory
    mode: "0700"
    owner: '{{ user.name }}'
    group: '{{ user.name }}'

- name: "SSH public key for '{{ user.name }}' is present"
  authorized_key:
    user: "{{ user.name }}"
    key: "{{ user.ssh_key }}"
    state: present
  when:
    - user.ssh_key is defined
    - user.ssh_key | length > 0

- name: "SSH public keys for '{{ user.name }}' are present"
  authorized_key:
    user: "{{ user.name }}"
    key: "{{ ssk_key }}"
    state: present
  loop: "{{ user.ssh_keys }}"
  loop_control:
    loop_var: ssk_key
  when:
    - user.ssh_keys is defined
    - user.ssh_keys | length > 0

- meta: flush_handlers