---
- set_fact:
    sshd_allowusers: >-
      {{ [ 'root' ] | union(sshd_allowusers_group | default([]))
                    | union(sshd_allowusers_host  | default([])) }}

- name: only allow pubkey auth for root
  lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^PermitRootLogin"
     line: "PermitRootLogin without-password"
  notify: restart ssh

- name: limit allowed users (1/3)
  lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^#?AllowUsers"
     line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
  when: sshd_allowusers_set is defined and sshd_allowgroup is not defined
  notify: restart ssh

- block:
    - name: "limit allowed users (2/3): Make sure AllowUsers is not in sshd_config"
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^AllowUsers"
        state: absent

    - name: "limit allowed users (2/3): Set AllowGroups in sshd_config"
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^#?AllowGroups"
        line: AllowGroups {{ sshd_allowgroup }}

    - name: "limit allowed users (2/3): Add allowed users to ssh group"
      user:
        name: "{{ item }}"
        groups: "{{ sshd_allowgroup }}"
        append: True
      with_items: "{{ sshd_allowusers }}"

  when: sshd_allowgroup is defined

- name: limit allowed users (3/3)
  lineinfile:
     dest: /etc/ssh/sshd_config
     regexp: "^Allow(Users|Groups)"
     state: absent
  when: sshd_allowusers_set is not defined and sshd_allowgroup is not defined
  notify: restart ssh

- name: Set authorized keys for root user
  authorized_key:
    user: root
    key: "{{ lookup('pipe','cat ssh/noc/*.pub') }}"
    exclusive: yes

- name: disable apt suggests and recommends
  copy: src=02no-recommends dest=/etc/apt/apt.conf.d/ mode=0644

- name: install basic packages
  apt: name={{ item }} state=present
  with_items:
    - less
    - psmisc
    - sudo
    - htop
    - dstat
    - mtr-tiny
    - tcpdump
    - debian-goodies
    - lsof
    - haveged
    - net-tools
    - ntp
    - screen
    - aptitude
    - unp
    - ca-certificates
    - file
    - zsh
    - python-apt

- block:
    - name: install systemd specific packages
      apt: name={{ item }} state=present
      with_items:
        - dbus
        - libpam-systemd

    - name: set systemd-related environment variables
      copy: src=xdg_runtime_dir.sh dest=/etc/profile.d/xdg_runtime_dir.sh mode=0644

  when: ansible_service_mgr == "systemd"

- name: install zshrc
  copy: src={{ item.src }} dest={{ item.dest }} mode=0644
  with_items:
    - { "src": "zprofile", "dest": "/etc/zsh/zprofile" }
    - { "src": "zshrc", "dest": "/etc/zsh/zshrc" }
    - { "src": "zshrc.skel", "dest": "/etc/skel/.zshrc" }

- name: set root default shell to zsh
  user: name=root shell=/bin/zsh

- name: set default shell for adduser
  lineinfile: dest=/etc/adduser.conf regexp={{ item.regexp }} line={{ item.line }}
  with_items:
    - { regexp: "^DSHELL", line: "DSHELL=/bin/zsh" }