#SPDX-License-Identifier: MIT-0
---
# tasks file for roles/init-vps
# @TODO complete below tasks
- name: Checking whether administrative login used
  when: ansible_facts["user_id"] not in (admins | map(attribute="username") | list)
  ansible.builtin.fail:
    msg: Must use administrative user for subsequent tasks
- name: Setting approved SSH authentication procedures
  when: harden and ansible_facts["system"] == "Linux"
  become: true
  ansible.builtin.copy:
    src: sshd_config.d/auth.conf
    dest: /etc/ssh/sshd_config.d/auth.conf
    owner: root
    group: root
    mode: "644"
    force: true
    backup: true
    validate: "sshd -t %s"
  register: ssh_authenticator
  tags:
    - ssh_secure_auth
- name: Prohibiting SSH root login
  when: harden and ansible_facts["system"] == "Linux"
  become: true
  ansible.builtin.copy:
    src: sshd_config.d/denyroot.conf
    dest: /etc/ssh/sshd_config.d/denyroot.conf
    owner: root
    group: root
    mode: "644"
    force: true
    backup: true
    validate: "sshd -t %s"
- name: Create groups for FTP services
  when: "'internal-sftp' in item.service or 'proftpd' in item.service or 'vsftpd' in item.service"
  become: true
  ansible.builtin.group:
    name: "{{ item.username }}"
    system: true
    state: present
  loop: "{{ sys_users }}"
  register: ftp_groups
- name: Configuring SFTP for FTP group
  when: ansible_facts["system"] == "Linux"
  become: true
  ansible.builtin.template:
    src: sshd_config.d/sftp.conf.j2
    dest: /etc/ssh/sshd_config.d/sftp.conf
    owner: root
    group: root
    mode: "644"
    force: true
    backup: true
    validate: "sshd -t %s"
  register: configured_sftp