---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Check if gdm is installed and configured
  stat:
    path: /etc/gdm/custom.conf
  register: gdm_conf_check
  check_mode: no

- name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
  lineinfile:
    dest: /etc/gdm/custom.conf
    line: "^AutomaticLoginEnable=true"
    state: absent
  when:
    - gdm_conf_check.stat.exists
    - security_disable_gdm_automatic_login | bool
  tags:
    - graphical
    - high
    - V-71953

- name: V-71955 - The operating system must not allow guest logon to the system.
  lineinfile:
    dest: /etc/gdm/custom.conf
    line: "^TimedLoginEnable=true"
    state: absent
  when:
    - gdm_conf_check.stat.exists
    - security_disable_gdm_timed_login | bool
  tags:
    - graphical
    - high
    - V-71955

- name: Check for dconf profiles
  stat:
    path: /etc/dconf/profile
  register: dconf_check
  tags:
    - always

- name: Create a user profile in dconf
  copy:
    src: dconf-user-profile
    dest: /etc/dconf/profile/user
  when:
    - dconf_check.stat.exists
  tags:
    - graphical
    - medium
    - V-71891
    - V-71893
    - V-71901

- name: Create dconf directories
  file:
    path: "{{ item }}"
    state: directory
  with_items:
    - /etc/dconf/db/local.d/
    - /etc/dconf/db/local.d/locks
    - /etc/dconf/db/gdm.d/
  when:
    - dconf_check.stat.exists
  tags:
    - graphical
    - medium
    - V-71859
    - V-71891
    - V-71893
    - V-71901

- name: Configure graphical session locking
  template:
    src: dconf-screensaver-lock.j2
    dest: /etc/dconf/db/local.d/00-screensaver
  when:
    - dconf_check.stat.exists
  notify:
    - dconf update
  tags:
    - graphical
    - medium
    - V-71891
    - V-71893
    - V-71901

- name: Prevent users from changing graphical session locking configurations
  template:
    src: dconf-session-user-config-lockout.j2
    dest: /etc/dconf/db/local.d/locks/session
  when:
    - dconf_check.stat.exists
  notify:
    - dconf update
  tags:
    - graphical
    - medium
    - V-71891
    - V-71893
    - V-71901

- name: Create a GDM profile for displaying a login banner
  copy:
    src: dconf-profile-gdm
    dest: /etc/dconf/profile/gdm
  when:
    - dconf_check.stat.exists
  notify:
    - dconf update
  tags:
    - graphical
    - medium
    - V-71859

- name: Create a GDM keyfile for machine-wide settings
  template:
    src: dconf-gdm-banner-message.j2
    dest: "{{ item }}"
  with_items:
    - /etc/dconf/db/gdm.d/01-banner-message
    - /etc/dconf/db/local.d/01-banner-message
  when:
    - dconf_check.stat.exists
  notify:
    - dconf update
  tags:
    - graphical
    - medium
    - V-71859