---
# tasks file for ssh
- name: Add group
  ansible.builtin.group:
    name: "{{ ssh_item.name }}"
    state: present
  loop: "{{ ssh_users }}"
  loop_control:
    loop_var: ssh_item

- name: Add user
  ansible.builtin.user:
    name: "{{ ssh_item.name }}"
    group: "{{ ssh_item.name }}"
    home: /home/{{ ssh_item.name }}
    create_home: true
    shell: /bin/bash
    state: "{{ ssh_item.state }}"
  loop: "{{ ssh_users }}"
  loop_control:
    loop_var: ssh_item

- name: Add authorized_key
  ansible.posix.authorized_key:
    user: "{{ ssh_item.0.name }}"
    key: "{{ ssh_item.1.key }}"
    exclusive: "{{ ssh_item.0.exclusive }}"
    state: "{{ ssh_item.0.state }}"
  loop: "{{ ssh_users | subelements('keys') }}"
  loop_control:
    loop_var: ssh_item

- name: Add sudoer rule for local user
  ansible.builtin.template:
    src: templates/10_allowed_suoders.j2
    dest: /etc/sudoers.d/10_allowed_suoders
    owner: root
    group: root
    mode: '0440'
    validate: /usr/sbin/visudo -csf %s

- name: Add hardened SSH config
  ansible.builtin.template:
    src: templates/00-sshd.conf.j2
    dest: /etc/ssh/sshd_config.d/00-sshd.conf
    owner: root
    group: root
    mode: '0600'
    validate: /usr/sbin/sshd -t -f %s
  notify: Reload SSH

- name: Set bash profile
  ansible.builtin.copy:
    src: files/profile.d/00-bash.sh
    dest: /etc/profile.d/00-bash.sh
    owner: root
    group: root
    mode: '0644'

- name: Set vim config
  ansible.builtin.copy:
    src: files/vim/vimrc.local
    dest: /etc/vim/vimrc.local
    owner: root
    group: root
    mode: '0644'