---
- name: 'Install required packages'
  pkgng: name={{item}} state=present
  with_items:
    - sudo
  when: ansible_facts['os_family'] == 'FreeBSD'

- name: 'Create users with corresponding groups'
  user:
    name: "{{ item }}"
    groups: users
  with_items: "{{ users }}"

- block:
    - name: 'Ensure that sudo group is existing'
      group:
        name: sudo
        state: present

    - name: 'Allow sudo group to do sudo'
      lineinfile:
        dest: "{{ lookup('first_found', files, errors='ignore') }}"
        state: present
        regexp: '^#?\s*%sudo'
        line: '%sudo   ALL=(ALL) ALL'
        validate: visudo -cf %s
      vars:
        files:
          - /etc/sudoers
          - /usr/local/etc/sudoers # e.g. FreeBSD

    - name: 'Add sudoers user to sudo group'
      user:
        name: "{{ item }}"
        groups: sudo
        append: yes
      with_items: "{{ sudoers }}"
  when:
    - enable_sudo
    - not enable_passwordless_sudo

- name: 'Add corresponding authorized_keys to each user'
  authorized_key:
    user: "{{ item }}"
    state: present
    key: "{{ lookup('file', 'public_keys/id_{{ item }}.pub') }}"
    exclusive: "{{ authorized_keys_are_exclusive | bool }}"
  with_items: "{{ users }}"
  ignore_errors: true

- block:
    - name: 'Ensure that wheel group is existing'
      group:
        name: wheel
        state: present

    - name: 'Add sudoers user to wheel group'
      user:
        name: "{{ item }}"
        groups: wheel
        append: yes
      with_items: "{{ sudoers }}"

    - name: 'Allow wheel group to do passwordless sudo'
      lineinfile:
        dest: "{{ lookup('first_found', files, errors='ignore') }}"
        state: present
        regexp: '^%wheel'
        line: '%wheel ALL=(ALL) NOPASSWD:ALL'
        validate: visudo -cf %s
      vars:
        files:
          - /etc/sudoers
          - /usr/local/etc/sudoers # e.g. FreeBSD

    - name: 'Disable SSH for root'
      lineinfile:
        dest: "/etc/ssh/sshd_config"
        state: present
        regexp: '^#?\s*PermitRootLogin'
        line: 'PermitRootLogin No'
      notify: Restart SSH
      when:
        - enable_ssh_for_root | bool == false
    
    - name: 'Enable SSH for root through password or key'
      lineinfile:
        dest: "/etc/ssh/sshd_config"
        state: present
        regexp: '^#?\s*PermitRootLogin'
        line: 'PermitRootLogin Yes'
      notify: Restart SSH
      when:
        - enable_ssh_for_root | bool == true
        - enable_ssh_for_root_prohibit_password | bool == false
    
    - name: 'Enable SSH for root through key only'
      lineinfile:
        dest: "/etc/ssh/sshd_config"
        state: present
        regexp: '^#?\s*PermitRootLogin'
        line: 'PermitRootLogin prohibit-password'
      notify: Restart SSH
      when:
        - enable_ssh_for_root | bool == true
        - enable_ssh_for_root_prohibit_password | bool == true
  when:
    - enable_sudo
    - enable_passwordless_sudo

- name: Copy tmux config
  copy:
    src: files/tmux.conf
    dest: /home/{{ item }}/.tmux.conf
    mode: 0644
    owner: "{{ item }}"
    group: "{{ item }}"
  with_items: "{{ users }}"