---
- hosts: all
  tasks:
  - name: Configure alternative sshd_config file
    include_role:
      name: ansible-sshd
    vars:
      # just anything -- will not get processed by sshd
      sshd_config_file: /etc/ssh/sshd_config_custom
      sshd_skip_defaults: true
      sshd:
        AcceptEnv: LANG
        Banner: /etc/issue
        Ciphers: aes256-gcm@openssh.com
      sshd_Compression: no
  - name: Configure second alternative sshd_config file
    include_role:
      name: ansible-sshd
    vars:
      # just anything -- will not get processed by sshd
      sshd_config_file: /etc/ssh/sshd_config_custom_second
      sshd_skip_defaults: true
      sshd:
        Banner: /etc/issue2
        Ciphers: aes128-gcm@openssh.com
      sshd_MaxStartups: 100
  - name: Now configure the main sshd_config file
    include_role:
      name: ansible-sshd
    vars:
      sshd:
        Banner: /etc/issue
        Ciphers: aes128-ctr
        HostKey:
          - /tmp/ssh_host_ecdsa_key
      sshd_PasswordAuthentication: no

  - name: Verify the options are correctly set
    vars:
      main_sshd_config: >-
        {{
          "/etc/ssh/sshd_config.d/00-ansible_system_role.conf"
          if ansible_facts['distribution'] == 'Fedora'
          else "/etc/ssh/sshd_config"
        }}
    block:
      - meta: flush_handlers

      - name: Print current configuration file
        slurp:
          src: /etc/ssh/sshd_config_custom
        register: config

      - name: Print second configuration file
        slurp:
          src: /etc/ssh/sshd_config_custom_second
        register: config2

      - name: Print the main configuration file
        slurp:
          src: "{{ main_sshd_config }}"
        register: config3

      - name: Check content of first configuration file
        assert:
          that:
            - "'AcceptEnv LANG' in config.content | b64decode"
            - "'Banner /etc/issue' in config.content | b64decode"
            - "'Ciphers aes256-gcm@openssh.com' in config.content | b64decode"
            - "'HostKey' not in config.content | b64decode"
            - "'Compression no' in config.content | b64decode"
            - "'MaxStartups 100' not in config.content | b64decode"

      - name: Check content of second configuration file
        assert:
          that:
            - "'Banner /etc/issue2' in config2.content | b64decode"
            - "'Ciphers aes128-gcm@openssh.com' in config2.content | b64decode"
            - "'HostKey' not in config2.content | b64decode"
            - "'MaxStartups 100' in config2.content | b64decode"
            - "'Compression no' not in config2.content | b64decode"

      - name: Check content of the main configuration file
        assert:
          that:
            - "'Banner /etc/issue' in config3.content | b64decode"
            - "'Ciphers aes128-ctr' in config3.content | b64decode"
            - "'HostKey /tmp/ssh_host_ecdsa_key' in config3.content | b64decode"
            - "'PasswordAuthentication no' in config3.content | b64decode"
            - "'MaxStartups 100' not in config3.content | b64decode"
            - "'Compression no' not in config3.content | b64decode"
    tags: tests::verify