ansible-roles/evolinux-users/tasks/ssh.yml

---


- name: "Create .ssh directory for '{{ user.name }}'"
  file:
    dest: '/home/{{ user.name }}/.ssh/'
    state: directory
    mode: "0700"
    owner: '{{ user.name }}'
    group: '{{ user.name }}'

- name: "Add user's SSH public key for '{{ user.name }}'"
  authorized_key:
    user: "{{ user.name }}"
    key: "{{ user.ssh_key }}"
    state: present

# we must double-escape caracters, because python
- name: verify AllowUsers directive
  shell: "egrep '^AllowUsers' /etc/ssh/sshd_config"
  changed_when: False
  failed_when: False
  register: grep_allowusers_ssh
  check_mode: no

- name: "Add AllowUsers sshd directive for '{{ user.name }}'"
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nAllowUsers {{ user.name }}"
    insertafter: 'Subsystem'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_allowusers_ssh.rc != 0

- name: "Modify AllowUsers sshd directive for '{{ user.name }}'"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(AllowUsers ((?!{{ user.name }}).)*)$'
    replace: '\1 {{ user.name }}'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_allowusers_ssh.rc == 0

- name: verify Match User directive
  command: "grep 'Match User' /etc/ssh/sshd_config"
  changed_when: False
  failed_when: False
  register: grep_matchuser_ssh
  check_mode: no

- name: "Add Match User sshd directive for '{{ user.name }}'"
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "\nMatch User {{ user.name }}\n    PasswordAuthentication no"
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_matchuser_ssh.rc != 0

- name: "Modify Match User's sshd directive for '{{ user.name }}'"
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^(Match User ((?!{{ user.name }}).)*)$'
    replace: '\1,{{ user.name }}'
    validate: '/usr/sbin/sshd -T -f %s'
  notify: reload sshd
  when: grep_matchuser_ssh.rc == 0