---
- name: set OS dependent variables
  include_vars: '{{ item }}'
  with_first_found:
    - '{{ ansible_facts.distribution }}_{{ ansible_facts.distribution_major_version }}.yml'
    - '{{ ansible_facts.distribution }}.yml'
    - '{{ ansible_facts.os_family }}_{{ ansible_facts.distribution_major_version }}.yml'
    - '{{ ansible_facts.os_family }}.yml'

- name: get openssh-version
  command: ssh -V
  register: sshd_version_raw
  changed_when: false
  check_mode: no

- name: parse openssh-version
  set_fact:
    sshd_version: "{{ sshd_version_raw.stderr | regex_replace('.*_([0-9]*.[0-9]).*', '\\1') }}"

- name: set default for ssh_host_key_files if not supplied
  include_tasks: crypto_hostkeys.yml
  when: not ssh_host_key_files

- name: set default for ssh_macs if not supplied
  include_tasks: crypto_macs.yml
  when: not ssh_macs

- name: set default for ssh_ciphers if not supplied
  include_tasks: crypto_ciphers.yml
  when: not ssh_ciphers

- name: set default for ssh_kex if not supplied
  include_tasks: crypto_kex.yml
  when: not ssh_kex

- name: create revoked_keys and set permissions to root/600
  template:
    src: 'revoked_keys.j2'
    dest: '/etc/ssh/revoked_keys'
    mode: '0600'
    owner: '{{ ssh_owner }}'
    group: '{{ ssh_group }}'
  notify: restart sshd
  when: ssh_server_hardening | bool

- name: create sshd_config and set permissions to root/600
  template:
    src: 'opensshd.conf.j2'
    dest: '/etc/ssh/sshd_config'
    mode: '0600'
    owner: '{{ ssh_owner }}'
    group: '{{ ssh_group }}'
    validate: '{{ sshd_path }} -T -C user=root -C host=localhost -C addr=localhost -C lport=22 -f %s'
  notify: restart sshd
  when: ssh_server_hardening | bool

- name: disable dynamic MOTD
  pamd:
    name: sshd
    type: session
    control: optional
    module_path: pam_motd.so
    state: absent
    backup: yes
  when:
    - ssh_server_hardening | bool
    - ssh_pam_support | bool
    - not (ssh_print_pam_motd | bool)

- name: create ssh_config and set permissions to root/644
  template:
    src: 'openssh.conf.j2'
    dest: '/etc/ssh/ssh_config'
    mode: '0644'
    owner: '{{ ssh_owner }}'
    group: '{{ ssh_group }}'
  when: ssh_client_hardening | bool

- name: check if {{ sshd_moduli_file }} contains weak DH parameters
  shell: awk '$5 < {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }}
  register: sshd_register_moduli
  changed_when: false
  check_mode: no
  when: ssh_server_hardening | bool

- name: remove all small primes
  shell: awk '$5 >= {{ sshd_moduli_minimum }}' {{ sshd_moduli_file }} > {{ sshd_moduli_file }}.new ;
         [ -r {{ sshd_moduli_file }}.new -a -s {{ sshd_moduli_file }}.new ] && mv {{ sshd_moduli_file }}.new {{ sshd_moduli_file }} || true
  notify: restart sshd
  when:
    - ssh_server_hardening | bool
    - sshd_register_moduli.stdout

- name: include tasks to setup ca keys and principals
  include_tasks: ca_keys_and_principals.yml
  when: ssh_trusted_user_ca_keys_file | length > 0

- name: include selinux specific tasks
  include_tasks: selinux.yml
  when: ansible_facts.selinux and ansible_facts.selinux.status == "enabled"

- name: gather package facts
  package_facts:
  check_mode: no
  when:
    - sshd_disable_crypto_policy | bool

- name: disable SSH server CRYPTO_POLICY
  copy:
    src: sshd
    dest: /etc/sysconfig/sshd
  when:
    - sshd_disable_crypto_policy | bool
    - ('crypto-policies' in ansible_facts.packages)