---
# Copyright 2019 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

# found within the "vars/" path. If no OS files are found the task will skip.
- name: Gather variables for each operating system
  include_vars: "{{ item }}"
  with_first_found:
    - skip: true
      files:
        - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
        - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
        - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
        - "{{ ansible_distribution | lower }}.yml"
        - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
        - "{{ ansible_os_family | lower }}.yml"
  tags:
    - always

- name: Run sshd tasks as root
  become: true
  block:
    - name: Install the OpenSSH server
      package:
        name: "{{ tripleo_sshd_packages }}"
        state: "{{ tripleo_sshd_package_state }}"
      notify:
        - Restart sshd

    - name: Flush all handlers
      meta: flush_handlers

    - name: Adjust ssh server configuration
      template:
        dest: /etc/ssh/sshd_config
        src: sshd_config_block.j2
        validate: '/usr/sbin/sshd -T -f %s'
      notify:
        - Restart sshd

    - name: PasswordAuthentication notice
      debug:
        msg: >-
          Notice - The option `tripleo_sshd_password_authentication` is set to
          "{{ tripleo_sshd_password_authentication }}" but `PermitRootLogin` is
          undefined. While this may be perfectly valid, the sshd_config options
          should be reviewed to ensure general user access is functional and
          meeting expectations.
      when:
        - (tripleo_sshd_password_authentication != 'no') and
          not (PermitRootLogin in tripleo_sshd_server_options)

    - name: Adjust ssh server auth configuration
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PasswordAuthentication.*'
        line: 'PasswordAuthentication {{ tripleo_sshd_password_authentication }}'
        validate: '/usr/sbin/sshd -T -f %s'
      notify:
        - Restart sshd

    - name: Configure the banner text
      copy:
        content: "{{ tripleo_sshd_banner_text }}"
        dest: /etc/issue
      when:
        - tripleo_sshd_banner_enabled | bool

    - name: Adjust ssh server banner configuration
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?Banner.*'
        line: 'Banner /etc/issue'
        validate: '/usr/sbin/sshd -T -f %s'
      when:
        - tripleo_sshd_banner_enabled | bool
      notify:
        - Restart sshd

    - name: Configure the motd banner
      copy:
        content: "{{ tripleo_sshd_message_of_the_day }}"
        dest: /etc/motd
      when:
        - tripleo_sshd_motd_enabled | bool

    - name: Adjust ssh server motd configuration
      lineinfile:
        path: /etc/ssh/sshd_config
        state: present
        regexp: '^#?PrintMotd.*'
        line: 'PrintMotd yes'
        validate: '/usr/sbin/sshd -T -f %s'
      when:
        - tripleo_sshd_motd_enabled | bool
      notify:
        - Restart sshd

- name: Flush all handlers
  meta: flush_handlers