- name: enable pam_mkhomedir.so and pam_exec.so
  lineinfile:
    dest: /etc/pam.d/common-session
    line: "{{ item }}"
    insertbefore: "# end of pam-auth-update config"
  loop:
    - "session	optional	pam_mkhomedir.so  umask=0022"
    - "session	optional	pam_exec.so /usr/local/sbin/mkDownloads"

- name: deploy mkDownloads script
  copy:
    src: mkDownloads
    dest: /usr/local/sbin/mkDownloads
    mode: 0755

# https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
- name: only allow sftp for most users
  blockinfile:
    dest: /etc/ssh/sshd_config.d/local.conf
    create: true
    block: |
      Match User !L_*,!ansible,*
         PermitTTY no
         X11Forwarding no
         AllowTcpForwarding no
         AllowAgentForwarding no
         ForceCommand internal-sftp

- name: deploy archive home script
  copy:
    src: archive-homes
    dest: /usr/local/sbin/archive-homes
    mode: 0750

- name: deploy archive home script service and timer
  copy:
    src: "{{ item }}"
    dest: /etc/systemd/system/{{ item }}
    mode: 0655
  loop:
    - archive-homes.service
    - archive-homes.timer
  notify: enable archive-homes.timer

- name: deploy examode helper
  copy:
    src: examode.py
    dest: /usr/local/bin/examode.py
    mode: 0755

- name: deploy exam scripts
  copy:
    src: "{{ item }}"
    dest: "/usr/local/bin/{{ item }}"
    mode: 0755
  loop:
    - copy2students
    - fetchexam