---

- set_fact:
    IP_subject_alt_name: "{{ IP_subject_alt_name }}"

- name: Ensure that the sshd_config file has desired options
  blockinfile:
    dest: /etc/ssh/sshd_config
    marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
    block: |
      Match Group algo
          AllowTcpForwarding local
          AllowAgentForwarding no
          AllowStreamLocalForwarding no
          PermitTunnel no
          X11Forwarding no
  notify:
    - restart ssh

- name: Ensure that the algo group exist
  group: name=algo state=present

- name: Ensure that the jail directory exist
  file: path=/var/jail/ state=directory mode=0755 owner=root group="{{ root_group|default('root') }}"

- name: Ensure that the SSH users exist
  user:
    name: "{{ item }}"
    groups: algo
    home: '/var/jail/{{ item }}'
    createhome: yes
    generate_ssh_key: yes
    shell: /bin/false
    ssh_key_type: ecdsa
    ssh_key_bits: 256
    ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
    ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
    state: present
    append: yes
  with_items: "{{ users }}"

- name: The authorized keys file created
  file:
    src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
    dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
    owner: "{{ item }}"
    group: "{{ item }}"
    state: link
  with_items: "{{ users }}"

- name: Generate SSH fingerprints
  shell: >
    ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
  register: ssh_fingerprints

- name: The known_hosts file created
  template: src=known_hosts.j2 dest=/root/.ssh/{{ IP_subject_alt_name }}_known_hosts

- name: Fetch users SSH private keys
  fetch: src='/var/jail/{{ item }}/.ssh/id_ecdsa' dest=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem flat=yes
  with_items: "{{ users }}"

- name: Change mode for SSH private keys
  local_action: file path=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem mode=0600
  with_items: "{{ users }}"
  become: false

- name: Fetch the known_hosts file
  fetch: src='/root/.ssh/{{ IP_subject_alt_name }}_known_hosts' dest=configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_known_hosts flat=yes

- name: Build the client ssh config
  local_action:
    module: template
    src: ssh_config.j2
    dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh_config
    mode: 0600
  become: no
  with_items:
    - "{{ users }}"