---

- name: Test if uid exists for '{{ user.name }}'
  command: 'getent passwd {{ user.uid }}'
  register: uidisbusy
  failed_when: False
  changed_when: False
  check_mode: no


- name: Add Unix account with classical uid for '{{ user.name }}'
  user:
   state: present
   uid: '{{ user.uid }}'
   name: '{{ user.name }}'
   comment: '{{ user.fullname }}'
   shell: /bin/bash
   password: '{{ user.password_hash }}'
   update_password: on_create
  when: uidisbusy|failed

- name: Add Unix account with random uid for '{{ user.name }}'
  user:
   state: present
   name: '{{ user.name }}'
   comment: '{{ user.fullname }}'
   shell: /bin/bash
   password: '{{ user.password_hash }}'
   update_password: on_create
  when: uidisbusy|success

- name: Fix perms on homedirectory for '{{ user.name }}'
  file:
   name: '/home/{{ user.name }}'
   mode: "0700"
   state: directory

- name: is evomaintenance installed?
  stat:
    path: "/usr/share/scripts/evomaintenance.sh"
  register: evomaintenance_script
  check_mode: no


- name: Add evomaintenance trap for '{{ user.name }}'
  lineinfile:
    state: present
    dest: '/home/{{ user.name }}/.profile'
    insertafter: EOF
    line: 'trap "sudo /usr/share/scripts/evomaintenance.sh" 0'
  when: evomaintenance_script.stat.exists

- name: Create .ssh directory for '{{ user.name }}'
  file:
    dest: '/home/{{ user.name }}/.ssh/'
    state: directory
    mode: "0700"
    owner: '{{ user.name }}'
    group: '{{ user.name }}'

- name: Add user's SSH public key for '{{ user.name }}'
  authorized_key:
    user: "{{ user.name }}"
    key: "{{ user.ssh_key }}"
    state: present

- name: verify AllowUsers directive
  command: "grep AllowUsers /etc/ssh/sshd_config"
  changed_when: False
  failed_when: False
  register: grep_allowusers_ssh
  check_mode: no


- name: Add AllowUsers sshd directive for '{{ user.name }}'
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowUsers {{ user.name }}"
    insertafter: '^UsePAM'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_allowusers_ssh.rc != 0

- name: Modify AllowUsers sshd directive for '{{ user.name }}'
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
    replace: '\1 {{ user.name }}'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_allowusers_ssh.rc == 0

- name: verify Match User directive
  command: "grep 'Match User' /etc/ssh/sshd_config"
  changed_when: False
  failed_when: False
  register: grep_matchuser_ssh
  check_mode: no


- name: Add Match User sshd directive for '{{ user.name }}'
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_matchuser_ssh.rc != 0

- name: Modify Match User's sshd directive for '{{ user.name }}'
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(Match User ((?!{{ user.name }}).)*)$'
    replace: '\1,{{ user.name }}'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_matchuser_ssh.rc == 0

- name: Verify Evolinux sudoers file presence
  template:
    src: sudoers_debian.j2
    dest: /etc/sudoers.d/evolinux
    force: false
    validate: '/usr/sbin/visudo -cf %s'
  register: copy_sudoers_evolinux

- name: Verify Evolinux sudoers file permissions
  file:
    path: /etc/sudoers.d/evolinux
    mode: "0440"
    state: file

- name: Add user in sudoers file for '{{ user.name }}'
  replace:
    dest: /etc/sudoers.d/evolinux
    regexp: '^(User_Alias\s+ADMINS\s+=((?!{{ user.name }}).)*)$'
    replace: '\1,{{ user.name }}'
    validate: '/usr/sbin/visudo -cf %s'
  when: not copy_sudoers_evolinux.changed

- meta: flush_handlers