---

- name: "Create .ssh directory for '{{ user.name }}'"
  file:
    dest: '/home/{{ user.name }}/.ssh/'
    state: directory
    mode: "0700"
    owner: '{{ user.name }}'
    group: '{{ user.name }}'

- name: "Add user's SSH public key for '{{ user.name }}'"
  authorized_key:
    user: "{{ user.name }}"
    key: "{{ user.ssh_key }}"
    state: present
  when: user.ssh_key is defined

- name: "Add user's SSH public keys for '{{ user.name }}'"
  authorized_key:
    user: "{{ user.name }}"
    key: "{{ ssk_key }}"
    state: present
  with_items: "{{ user.ssh_keys }}"
  loop_control:
    loop_var: ssk_key
  when: user.ssh_keys is defined

- name: verify AllowGroups directive
  command: "grep -E '^AllowGroups' /etc/ssh/sshd_config"
  changed_when: False
  failed_when: False
  check_mode: no
  register: grep_allowgroups_ssh

# If AllowGroups is present or Debian 9+, use AllowGroups mode
- include: ssh_groups.yml
  when: grep_allowgroups_ssh.rc == 0 or ansible_distribution_major_version | version_compare('9', '>=')

# If AllowGroups is absent, use AllowUsers mode
- include: ssh_users.yml
  when: grep_allowgroups_ssh.rc != 0