---
- set_fact:
    sshd_allowusers: >-
      {{ [ 'root' ] | union(user_groups.noc)
                    | union(sshd_allowusers_group | default([]))
                    | union(sshd_allowusers_host  | default([])) }}

- name: only allow pubkey auth for root
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin without-password"
  notify: restart ssh

- name: limit allowed users (1/2)
  when: sshd_allowgroup is not defined
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: "^#?AllowUsers"
    line: "AllowUsers {{ ' '.join(sshd_allowusers) }}"
  notify: restart ssh

- block:
    - name: "limit allowed users (2/2): Make sure AllowUsers is not in sshd_config"
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^AllowUsers"
        state: absent
      notify: restart ssh

    - name: "limit allowed users (2/2): Set AllowGroups in sshd_config"
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "^#?AllowGroups"
        line: AllowGroups {{ sshd_allowgroup }}
      notify: restart ssh

    - name: "limit allowed users (2/2): Add allowed users to ssh group"
      user:
        name: "{{ item }}"
        groups: "{{ sshd_allowgroup }}"
        append: True
      with_items: "{{ sshd_allowusers }}"

  when: sshd_allowgroup is defined

- name: Set authorized keys for root user
  authorized_key:
    user: root
    key: "{{ noc_ssh_keys | join('\n') }}"
    exclusive: yes

- name: disable apt suggests and recommends
  copy:
    src: 02no-recommends
    dest: /etc/apt/apt.conf.d/
    mode: 0644

- name: install basic packages
  apt:
    name:
      - less
      - psmisc
      - sudo
      - htop
      - dstat
      - mtr-tiny
      - tcpdump
      - debian-goodies
      - lsof
      - haveged
      - net-tools
      - screen
      - aptitude
      - unp
      - ca-certificates
      - file
      - nano
      - zsh
      - python-apt
    state: present

- name: check that ISC ntpd is not installed
  apt:
    name: ntp
    state: absent
    purge: yes

- name: install openntpd
  apt:
    name: openntpd

- name: make sure grml-(etc|scripts)-core is not installed
  apt:
    name:
      - grml-etc-core
      - grml-scripts-core
    state: absent
    purge: yes

- block:
    - name: install systemd specific packages
      apt:
        name:
          - dbus
          - libpam-systemd
        state: present

    - name: set systemd-related environment variables
      copy:
        src: xdg_runtime_dir.sh
        dest: /etc/profile.d/xdg_runtime_dir.sh
        mode: 0644

  when: ansible_service_mgr == "systemd"

- block:
    - name: workaround console-setup race condition (1/2)
      file:
        path: /etc/systemd/system/console-setup.service.d/
        state: directory

    - name: workaround console-setup race condition (2/2)
      copy:
        content: "[Unit]\nAfter=systemd-tmpfiles-setup.service\n"
        dest: /etc/systemd/system/console-setup.service.d/override.conf
        mode: 0644
      # no need to relaod systemd here, it is only there to fix a boot-time race-condition

  when: ansible_distribution == "Ubuntu"

- name: install zshrc
  with_items:
    - src: "zprofile"
      dest: "/etc/zsh/zprofile"
    - src: "zshrc"
      dest: "/etc/zsh/zshrc"
    - src: "zshrc.skel"
      dest: "/etc/skel/.zshrc"
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: 0644

- name: set root default shell to zsh
  user:
    name: root
    shell: /bin/zsh

- name: set default shell for adduser
  with_dict:
    DSHELL: /bin/zsh
  lineinfile:
    dest: /etc/adduser.conf
    regexp: "^#?{{ item.key }}="
    line: "{{ item.key }}={{ item.value }}"