---

- name: Fetch SSHd config files
  ansible.builtin.command:
    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
  changed_when: False
  check_mode: no
  register: _ssh_config_paths

- ansible.builtin.debug:
    var: _ssh_config_paths
    verbosity: 1

############################
# AllowUsers or AllowGroups
############################

- name: verify AllowGroups directive
  ansible.builtin.command:
    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowgroups_ssh

- ansible.builtin.debug:
    var: grep_allowgroups_ssh
    verbosity: 1

- name: verify AllowUsers directive
  ansible.builtin.command:
    cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowUsers' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowusers_ssh

- ansible.builtin.debug:
    var: grep_allowusers_ssh
    verbosity: 1

- ansible.builtin.assert:
    that: "not (grep_allowusers_ssh.rc == 0 and grep_allowgroups_ssh.rc == 0)"
    msg: "We can't deal with AllowUsers and AllowGroups at the same time"

- ansible.builtin.set_fact:
    # If "AllowGroups is present" or "AllowUsers is absent and Debian 10+",
    ssh_allowgroups: "{{ (grep_allowgroups_ssh.rc == 0) or (grep_allowusers_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '>='))) }}"
    # If "AllowGroups is absent" and "AllowUsers is absent or Debian <10"
    ssh_allowusers:  "{{ (grep_allowusers_ssh.rc == 0) or (grep_allowgroups_ssh.rc != 0 and (ansible_distribution_major_version is version('10', '<'))) }}"

- ansible.builtin.debug:
    var: ssh_allowgroups
    verbosity: 1

- ansible.builtin.debug:
    var: ssh_allowusers
    verbosity: 1

- name: Configure SSH in AllowGroups mode
  ansible.builtin.include: ssh_allowgroups.yml
  when:
    - ssh_allowgroups
    - not ssh_allowusers

- name: Configure SSH in AllowUsers mode
  ansible.builtin.include: ssh_allowusers.yml
  vars:
    user: "{{ item.value }}"
  loop: "{{ evolinux_users | dict2items }}"
  when:
    - user.create == evolinux_users_create
    - ssh_allowusers
    - not ssh_allowgroups

# Do this again, to update the value

- name: Fetch SSHd config files
  ansible.builtin.command:
    cmd: "find /etc/ssh -type f \\( -name 'sshd_config' -o -path '/etc/ssh/sshd_config.d/*.conf' \\)"
  changed_when: False
  check_mode: no
  register: _ssh_config_paths

##################
# PermitRootLogin
##################

### For Debian < 12
#   if there is a commented value for PermitRootLogin
#   we replace it with a "no"

- name: Root login is disabled (Debian < 12)
  ansible.builtin.replace:
    dest: /etc/ssh/sshd_config
    regexp: '^#PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
  notify: reload sshd
  when:
    - evolinux_root_disable_ssh | bool
    - ansible_distribution_major_version is version('12', '<')

### For Debian >= 12
#   if there is no value for PermitRootLogin (anywhere)
#   we add a "no" in z-evolinux-users.conf 

- name: verify PermitRootLogin directive (Debian >= 12)
  ansible.builtin.command:
    cmd: "grep --extended-regexp --recursive --files-with-matches '^PermitRootLogin' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_permitrootlogin_ssh
  when:
    - ansible_distribution_major_version is version('12', '>=')

- name: Root login is disabled (Debian >= 12)
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config.d/z-evolinux-users.conf
    line: "PermitRootLogin no"
    create: yes
    mode: "0644"
    validate: '/usr/sbin/sshd -t -f %s'
    insertbefore: "BOF"
  notify: reload sshd
  when:
    - evolinux_root_disable_ssh | bool
    - ansible_distribution_major_version is version('12', '>=')
    - grep_permitrootlogin_ssh.rc != 0

#####################
# Allow current user 
#####################

- name: Allow current user
  block:
  - name: Check if evolinux ssh group is used
    ansible.builtin.command:
      cmd: "grep --extended-regexp --recursive --files-with-matches '^AllowGroups.+{{ evolinux_ssh_group }}' {{ _ssh_config_paths.stdout_lines | join(' ') }}"
    changed_when: False
    failed_when: False
    check_mode: no
    register: grep_evolinux_group_ssh

  - debug:
      var: grep_evolinux_group_ssh

  - name: "Get current user's login"
    ansible.builtin.command:
      cmd: logname
    changed_when: False
    register: _logname
    check_mode: no

  - debug:
      var: evolinux_ssh_group

  - debug:
      var: evolinux_ssh_allow_current_user

  - name: "Add current user ({{ _logname.stdout }}) to {{ evolinux_ssh_group }} group"
    ansible.builtin.user:
      name: "{{ _logname.stdout }}"
      groups: "{{ evolinux_ssh_group }}"
      append: yes
    when:
      - grep_evolinux_group_ssh.rc == 0
  when:
    - evolinux_ssh_group is defined
    - evolinux_ssh_group | length > 0
    - evolinux_ssh_allow_current_user | bool

- ansible.builtin.meta: flush_handlers