---
- name: OS is supported
  meta: end_host
  when:
    - not __sshd_os_supported|bool

- name: Install ssh packages
  package:
    name: "{{ sshd_packages }}"
    state: present

- name: Sysconfig configuration
  template:
    src: sysconfig.j2
    dest: "/etc/sysconfig/sshd"
    owner: "root"
    group: "root"
    mode: "600"
    backup: "{{ sshd_backup }}"
  when:
    - sshd_sysconfig|bool
  notify: reload_sshd

- name: Make sure hostkeys are available and have expected permissions
  vars: &share_vars
    # This mimics the macro body_option() in sshd_config.j2
    # The explicit to_json filter is needed for Python 2 compatibility
    __sshd_hostkeys_from_config: >-
      {% if sshd_HostKey is defined %}
        {{ sshd_HostKey | to_json }}
      {% elif sshd['HostKey'] is defined %}
        {{ sshd['HostKey'] | to_json }}
      {% elif __sshd_defaults['HostKey'] is defined and not sshd_skip_defaults %}
        {{ __sshd_defaults['HostKey'] | to_json }}
      {% else %}
        []
      {% endif %}
    __sshd_verify_hostkeys: >-
      {% if not sshd_verify_hostkeys %}
        []
      {% elif sshd_verify_hostkeys == 'auto' %}
        {{ __sshd_hostkeys_from_config }}
      {% else %}
        {{ sshd_verify_hostkeys | to_json }}
      {% endif %}
  block:
    - name: Make sure hostkeys are available
      shell: >
        {% if sshd_sysconfig %}
          source /etc/sysconfig/sshd;
        {% endif %}
        ssh-keygen -q -t {{ item | regex_search('(rsa|dsa|ecdsa|ed25519)') }} -f {{ item }} -C '' -N ''
      args:
        creates: "{{ item }}"
      loop: "{{ __sshd_verify_hostkeys | from_json | list }}"

    - name: Make sure private hostkeys have expected permissions
      file:
        path: "{{ item }}"
        owner: "{{ sshd_hostkey_owner }}"
        group: "{{ sshd_hostkey_group }}"
        mode: "{{ sshd_hostkey_mode }}"
      loop: "{{ __sshd_verify_hostkeys | from_json | list }}"

- name: Apply configuration
  vars:
    <<: *share_vars
  block:
    - name: Create a temporary hostkey for syntax verification if needed
      tempfile:
        state: directory
      register: sshd_test_hostkey
      changed_when: False
      when:
        - __sshd_hostkeys_from_config | from_json == []
        - sshd_config_file != "/etc/ssh/sshd_config"

    - name: Generate temporary hostkey
      shell: "ssh-keygen -q -t rsa -f {{ sshd_test_hostkey.path }}/rsa_key -C '' -N ''"
      changed_when: False
      when: sshd_test_hostkey.path is defined

    - name: Create the configuration file
      template:
        src: sshd_config.j2
        dest: "{{ sshd_config_file }}"
        owner: "{{ sshd_config_owner }}"
        group: "{{ sshd_config_group }}"
        mode: "{{ sshd_config_mode }}"
        validate: >-
          {% if sshd_test_hostkey is defined and sshd_test_hostkey.path is defined %}
            {{ sshd_binary }} -t -f %s -h {{ sshd_test_hostkey.path }}/rsa_key
          {% else %}
            {{ sshd_binary }} -t -f %s
          {% endif %}
        backup: "{{ sshd_backup }}"
      notify: reload_sshd
  rescue:
    - name: re-raise the error
      fail:
        msg: "{{ ansible_failed_result }}"
  always:
    - name: Remove temporary host keys
      file:
        path: "{{ sshd_test_hostkey.path }}"
        state: absent
      changed_when: False
      when: sshd_test_hostkey.path is defined

- name: Install systemd service files
  block:
    - name: Install service unit file
      template:
        src: "{{ sshd_service_template_service }}"
        dest: "/etc/systemd/system/{{ sshd_service }}.service"
        owner: root
        group: root
        mode: "0644"
      notify: reload_sshd
    - name: Install instanced service unit file
      template:
        src: "{{ sshd_service_template_at_service }}"
        dest: "/etc/systemd/system/{{ sshd_service }}@.service"
        owner: root
        group: root
        mode: "0644"
      notify: reload_sshd
    - name: Install socket unit file
      template:
        src: "{{ sshd_service_template_socket }}"
        dest: "/etc/systemd/system/{{ sshd_service }}.socket"
        owner: root
        group: root
        mode: "0644"
      notify: reload_sshd
  when: sshd_install_service|bool

- name: Service enabled and running
  service:
    name: "{{ sshd_service }}"
    enabled: true
    state: started
  when:
    - sshd_manage_service|bool
    - ansible_virtualization_type|default(None) != 'docker'
    - ansible_virtualization_type|default(None) != 'VirtualPC' # for Github Actions
    - ansible_connection != 'chroot'

# Due to ansible bug 21026, cannot use service module on RHEL 7
- name: Enable service in chroot
  command: systemctl enable {{ sshd_service }}  # noqa 303
  when:
    - ansible_connection == 'chroot'
    - ansible_os_family == 'RedHat'
    - ansible_distribution_major_version|int >= 7

- name: Register that this role has run
  set_fact:
    sshd_has_run: true
  when: sshd_has_run is not defined