---
- name: Ensure mandatory variables are configured
  assert:
    that: "{{ item }} is defined"
    fail_msg: "You must define the '{{ item }}' variable"
  with_items:
    - sshd_user_accounts

- name: Disable root SSH login
  lineinfile:
    line: PermitRootLogin no
    dest: /etc/ssh/sshd_config
    regexp: "^#?PermitRootLogin"
  when: not sshd_permit_root_login
  notify: Restart SSH

- name: Do not allow SSH access using passwords
  lineinfile:
    line: PasswordAuthentication no
    dest: /etc/ssh/sshd_config
    regexp: "^#?PasswordAuthentication"
  notify: Restart SSH

- name: Include resource variables
  include_vars: "{{ sshd_user_accounts }}"
  tags:
    # Note(d1): we already load in converge.yml so skip here
    - molecule-notest

- name: Register the list of members
  set_fact:
    members_list: "{{ members | map(attribute='username') | list | join(' ') }}"

- name: "Only allow logins from {{ members_list }}"
  lineinfile:
    line: "AllowUsers {{ members_list }}"
    dest: /etc/ssh/sshd_config
    regexp: "^#?AllowUsers"
  notify: Restart SSH

- name: "Set SSH port to {{ sshd_port }}"
  lineinfile:
    line: "Port {{ sshd_port }}"
    dest: /etc/ssh/sshd_config
    regexp: "^#?Port"
  notify: Restart SSH