---
- name: SSH
  hosts: server
  tasks:
    - name: Ensure ansible ssh directory exists
      file:
        path: /home/ansible/.ssh
        state: directory

    - name: Import SSH keys
      authorized_key:
        user: ansible
        key: '{{ item }}'
        state: present
      loop: '{{ ssh_keys }}'

    - name: Allow ansible user to only log in on wg0
      become: true
      lineinfile:
        path: /etc/ssh/sshd_config
        backup: true
        line: "{{ item }}"
        insertafter: EOF
      loop:
        - "\n# Allow Ansible user to log in only using SSH key and only on wg0 interface"
        - "Match User ansible Address !10.123.0.0/24"
        - "    PermitRootLogin no"
        - "    PasswordAuthentication no"
        - "    AllowTcpForwarding no"
        - "    X11Forwarding no"
      notify: restart sshd
  handlers:
    - name: restart sshd
      become: true
      service:
        name: sshd
        state: restarted

- name: Users
  hosts: all
  tasks:
    - name: Set bash as default shell for root
      become: true
      user:
        name: root
        shell: /bin/bash

    #- name: User fr
    #  user:
    #    name: fr
    #    password: $6$7Z.h8Q6CO9AevdIp$8W2nuvD7ZqeXBO.Azsayx2tJ4L0KD44hOz5aNzpGPN/hUtaROvmY7aJ0x7Ie3CPawp6lV4ln2fHQQ7V5Yuy7k0
    #    groups:
    #      # Arduino serial access
    #      - dialout
    #      - wheel
    #    state: present