#vim: set ft=ansible:
---
# tasks file for bastion

######################### Setting up a bastion host to use student/r3dh4t1! to access

# Enable SSH Login with UserID/Password
# needs a parameter:
# - student_password: <password to be set for user student>
# Add User student with password {{ student_password }}! and home directory /home/student
# Allow sudo for user student

- name: Check that student_password was passed to the role
  fail:
    msg: "Password needs to be provided to the role as parameter 'student_password'"
  when:
    - student_password is not defined

- name: Create user
  user:
    name: "{{ student_name }}"
    password: "{{ student_password|password_hash('sha512') }}"
    comment: GTPE Student
    group: users
    groups: wheel
    shell: /bin/bash
    state: present

- name: Enable password authentication
  lineinfile:
    line: PasswordAuthentication yes
    regexp: '^ *PasswordAuthentication'
    path: /etc/ssh/sshd_config

- name: Populate authorized_key
  authorized_key:
    user: "{{ student_name }}"
    key: "{{ student_key }}"
  when: student_key is defined

- name: Allow passwordless sudo
  lineinfile:
    path: '/etc/sudoers'
    state: present
    line: "{{ student_name }}         ALL=(ALL)       NOPASSWD: ALL"
    insertafter: '^ec2-user'

- name: Restart sshd
  service:
    name: sshd
    state: restarted