---
- hosts: all
  tasks:
  - name: Configure sshd
    include_role:
      name: ansible-sshd
    vars:
      sshd:
        AcceptEnv: LANG
        Banner: /etc/issue
        Ciphers: aes256-gcm@openssh.com
        Subsystem: "sftp internal-sftp"
      sshd_config_file: /etc/ssh/sshd_config

  - name: Verify the options are correctly set
    block:
      - meta: flush_handlers

      - name: List effective configuration using sshd -T
        command: sshd -T
        register: runtime

      - name: Print current configuration file
        slurp:
          src: /etc/ssh/sshd_config
        register: config

      - name: Check the options are effective
        # note, the options are in lower-case here
        assert:
          that:
            - "'acceptenv LANG' in runtime.stdout"
            - "'banner /etc/issue' in runtime.stdout"
            - "'ciphers aes256-gcm@openssh.com' in runtime.stdout"
            - "'subsystem sftp internal-sftp' in runtime.stdout"

      - name: Check the options are in configuration file
        assert:
          that:
            - "'AcceptEnv LANG' in config.content | b64decode"
            - "'Banner /etc/issue' in config.content | b64decode"
            - "'Ciphers aes256-gcm@openssh.com' in config.content | b64decode"
            - "'Subsystem sftp internal-sftp' in config.content | b64decode"
    tags: tests::verify