---
- hosts: all
  tasks:
  - name: Configure sshd
    include_role:
      name: ansible-sshd
    vars:
      sshd_sysconfig: true
      sshd_sysconfig_override_crypto_policy: true
      sshd_sysconfig_use_strong_rng: 32

  - name: Verify the options are correctly set
    block:
      - meta: flush_handlers

      - name: Print current configuration file
        slurp:
          src: /etc/sysconfig/sshd
        register: config

      - name: Check the crypto policies is overridden in RHEL 8
        assert:
          that:
            - "'CRYPTO_POLICY=' in config.content | b64decode"
            # these are string variants in default configuration file
            - "'# CRYPTO_POLICY=' not in config.content | b64decode"
        when:
          - ansible_facts['os_family'] == "RedHat"
          - ansible_facts['distribution_major_version'] == "8"

      - name: Check the RNG options are in configuration file
        assert:
          that:
            - "'SSH_USE_STRONG_RNG=32' in config.content | b64decode"
            # these are string variants in default configuration file
            - "'SSH_USE_STRONG_RNG=0' not in config.content | b64decode"
            - "'# SSH_USE_STRONG_RNG=1' not in config.content | b64decode"
        when:
          - ansible_facts['os_family'] == "RedHat"
          - ansible_facts['distribution'] != 'Fedora'
    tags: tests::verify