---
- name: load os/distrubtion/version specific variables
  with_first_found:
  - files:
    - "{{ ansible_distribution_release }}.yml"
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
  include_vars: "{{ item }}"

- name: add jump users
  loop: "{{ sshd_jump_users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  user:
    name: "{{ item.key }}"
    shell: /bin/false
    home: "/nonexistent/{{ item.key }}"
    create_home: false

- name: create directory for authorized_keys
  file:
    path: /etc/ssh/authorized_keys.d
    mode: 0755
    state: directory

- name: install authorized_keys file for jump users
  loop: "{{ sshd_jump_users | dict2items }}"
  loop_control:
    label: "{{ item.key }} ({{ item.value.authorized_keys | length }} keys)"
  copy:
    content: "{{ item.value.authorized_keys | join('\n') }}\n"
    dest: "/etc/ssh/authorized_keys.d/{{ item.key }}"
    mode: 0640
    owner: root
    group: "{{ item.key }}"

- name: create match user configs
  blockinfile:
    marker: "# {mark} ansible core/sshd/jump"
    block: |
      {% for name, config in sshd_jump_users.items() %}
      Match User {{ name }}
        AuthorizedKeysFile /etc/ssh/authorized_keys.d/%u
        PasswordAuthentication no
        PermitTTY no
        X11Forwarding no
        PermitTunnel no
        GatewayPorts no
        AllowAgentForwarding no
        AllowStreamLocalForwarding no
        ForceCommand /sbin/nologin
        AllowTcpForwarding local
        PermitOpen {{ config.permit_open | default(['any']) | list | join(' ') }}
        PermitListen none
      {%   if not loop.last %}

      {%   endif %}
      {% endfor %}
    insertafter: "### ansible core/sshd/base config barrier ###"
    dest: /etc/ssh/sshd_config
  notify: restart ssh