---

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=644 owner=root group=root
  notify: Update PAM configuration

- name: Set login UMASK
  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask
  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Install sudo
  apt: name=sudo state=present

- name: Install common packages
  apt: name="{{ item }}" state="present"
  with_items: common_packages

- name: Set-up operating system groups
  group: name="{{ item.name }}" gid="{{ item.gid }}" state=present
  with_items: os_groups

- name: Set-up operating system user groups
  group: name="{{ item.name }}" gid="{{ item.uid }}" state=present
  with_items: os_users

- name: Set-up operating system users
  user: name="{{ item.name }}" uid="{{ item.uid }}" group="{{ item.name }}"
        groups="{{ item.additional_groups }}" append=yes shell=/bin/bash state=present
        password="{{ item.password }}"
  with_items: os_users

- name: Set-up authorised keys
  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
  with_subelements:
    - os_users
    - authorized_keys

- name: Disable remote logins for root
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Allow users to traverse directories to TLS private key files
  file: path=/etc/ssl/private/ mode=o+x