---
- name: sec_ssh start!
  hosts: ldap-auth
  become: yes
  tasks:

    - name: Update sshd.conf PermitRootLogin
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^PermitRootLogin"
        line: 'PermitRootLogin No'
      tags:
        - sec_ssh

    - name: Update sshd.conf Match All
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#Match User'
        insertbefore: '^AuthorizedKeysCommand /usr/bin/get_ldap_ssh_key.sh'
        line: 'Match All'
      tags:
        - sec_ssh

    - name: Update sshd.conf PasswordAuthentication no
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#Match User'
        insertbefore: '^Match All'
        line: '    PasswordAuthentication no'
      tags:
        - sec_ssh

    - name: Update sshd.conf Match User administrator,oracle,postgres,mssql,nausd4,ansible
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#Match User'
        insertbefore: '^    PasswordAuthentication no'
        line: 'Match User administrator,oracle,postgres,mssql,nausd4,ansible'
      tags:
        - sec_ssh

    - name: Update sshd.conf AllowGroups
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^AllowGroups"
        line: 'AllowGroups sd-all root administrator postgres mssql oinstall ansible nausd4'
      tags:
        - sec_ssh

    - name: Update sudoes users for sd-devel-321 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-321       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-322 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-322       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-323 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-323       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-324 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-324       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-325 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-325       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-326 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-326       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-327 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-327       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-328 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-328       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: Update sudoes users for sd-devel-329 group
      lineinfile:
        path: /etc/sudoers
        line: "%sd-devel-329       ALL=(administrator,postgres,mssql,oinstall,nausd4)       NOPASSWD: ALL"
        state: present

    - name: restart sshd
      service:
        name: sshd
        enabled: true
        state: restarted