---
- block:
    - name: Ensure that the sshd_config file has desired options
      blockinfile:
        dest: /etc/ssh/sshd_config
        marker: '# {mark} ANSIBLE MANAGED BLOCK ssh_tunneling_role'
        block: |
          Match Group algo
              AllowTcpForwarding local
              AllowAgentForwarding no
              AllowStreamLocalForwarding no
              PermitTunnel no
              X11Forwarding no
      notify:
        - restart ssh

    - name: Ensure that the algo group exist
      group: name=algo state=present

    - name: Ensure that the jail directory exist
      file:
        path: /var/jail/
        state: directory
        mode: 0755
        owner: root
        group: "{{ root_group|default('root') }}"

    - name: Ensure that the SSH users exist
      user:
        name: "{{ item }}"
        groups: algo
        home: '/var/jail/{{ item }}'
        createhome: yes
        generate_ssh_key: yes
        shell: /bin/false
        ssh_key_type: ecdsa
        ssh_key_bits: 256
        ssh_key_comment: '{{ item }}@{{ IP_subject_alt_name }}'
        ssh_key_passphrase: "{{ easyrsa_p12_export_password }}"
        update_password: on_create
        state: present
        append: yes
      with_items: "{{ users }}"

    - name: The authorized keys file created
      file:
        src: '/var/jail/{{ item }}/.ssh/id_ecdsa.pub'
        dest: '/var/jail/{{ item }}/.ssh/authorized_keys'
        owner: "{{ item }}"
        group: "{{ item }}"
        state: link
      with_items: "{{ users }}"

    - name: Generate SSH fingerprints
      shell: ssh-keyscan {{ IP_subject_alt_name }} 2>/dev/null
      register: ssh_fingerprints

    - name: Fetch users SSH private keys
      fetch:
        src: '/var/jail/{{ item }}/.ssh/id_ecdsa'
        dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem
        flat: yes
      with_items: "{{ users }}"

    - name: Change mode for SSH private keys
      local_action: file path=configs/{{ IP_subject_alt_name }}/{{ item }}.ssh.pem mode=0600
      with_items: "{{ users }}"
      become: false

    - name: Fetch the known_hosts file
      local_action:
        module: template
        src: known_hosts.j2
        dest: configs/{{ IP_subject_alt_name }}/known_hosts
      become: no

    - name: Build the client ssh config
      local_action:
        module: template
        src: ssh_config.j2
        dest: configs/{{ IP_subject_alt_name }}/{{ item }}.ssh_config
        mode: 0600
      become: no
      with_items:
        - "{{ users }}"

    - name: SSH | Get active system users
      shell: >
        getent group algo | cut -f4 -d: | sed "s/,/\n/g"
      register: valid_users
      when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"

    - name: SSH | Delete non-existing users
      user:
        name: "{{ item }}"
        state: absent
        remove: yes
        force: yes
      when: item not in users and ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y"
      with_items: "{{ valid_users.stdout_lines | default('null') }}"
  rescue:
    - debug: var=fail_hint
      tags: always
    - fail:
      tags: always