---
- name: load os/distrubtion/version specific variables
  with_first_found:
  - files:
    - "{{ ansible_distribution_release }}.yml"
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
  include_vars: "{{ item }}"

- name: hardening ssh-server config
  vars:
    sshd_options:
      IgnoreRhosts: "yes"
      PermitRootLogin: "without-password"
      PubkeyAuthentication: "yes"
      HostbasedAuthentication: "no"
      PasswordAuthentication: "{{ sshd_password_auth | ternary('yes', 'no') }}"
      PermitEmptyPasswords: "no"
      UseDNS: "no"
  loop: "{{ sshd_options | dict2items }}"
  loop_control:
    label: "{{ item.key }} = {{ item.value }}"
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^(#\\s*)?{{ item.key }}\\s"
    line: "{{ item.key }} {{ item.value }}"
    insertbefore: '^### ansible core/sshd/base config barrier ###'
  notify: restart ssh

- name: limit allowed users
  when: not sshd_allow_any_user | bool
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^AllowUsers\\s"
    line: "AllowUsers {{ ' '.join([ 'root' ] | union(sshd_allowusers_group) | union(sshd_allowusers_host) | union(sshd_jump_users | default({}) | list)) }}"
    insertbefore: '^### ansible core/sshd/base config barrier ###'
  notify: restart ssh

- name: allow any user
  when: sshd_allow_any_user | bool
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^AllowUsers\\s"
    state: absent
  notify: restart ssh

- name: limit allowed groups
  when: not sshd_allow_any_group | bool
  block:
  - name: verify sshd allow-groups are configured
    assert:
      that: (sshd_allowgroups_group | union(sshd_allowgroups_host) | length) > 0
      msg: Please set sshd_allowgroups_group and or sshd_allowgroups_host

  - name: set AllowGroups option
    lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "^AllowGroups\\s"
      line: "AllowGroups {{ ' '.join(sshd_allowgroups_group | union(sshd_allowgroups_host)) }}"
      insertbefore: '^### ansible core/sshd/base config barrier ###'
    notify: restart ssh

- name: allow any group
  when: sshd_allow_any_group | bool
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^AllowGroups\\s"
    state: absent
  notify: restart ssh

- name: install config barriers for other roles to use
  loop:
  - line: "### ansible core/sshd/base config barrier ###"
    insertbefore: "### ansible core/sshd config barrier ###"
  - line: "### ansible core/sshd config barrier ###"
    insertafter: "### ansible core/sshd/base config barrier ###"
  loop_control:
    label: "{{ item.line }}"
  lineinfile:
    dest: /etc/ssh/sshd_config
    line: "{{ item.line }}"
    insertbefore: "{{ item.insertbefore | default(omit) }}"
    insertafter: "{{ item.insertafter | default(omit) }}"
  notify: restart ssh

- name: install ssh keys for root
  authorized_key:
    user: root
    key: "{{ ssh_keys_root | union(ssh_keys_root_extra) | join('\n') }}"
    exclusive: yes

- name: delete root password
  when: sshd_disabled_password is defined
  user:
    name: root
    password: "{{ sshd_disabled_password }}"