---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Adding additional sshd configuration options is usually easy, but if a
# configuration file ends with certain configurations, like a "Match" stanza,
# we need a blank line to separate those configurations from the ones that
# are added by the security role. For that reason, we check for the existence
# of a marker line here and add a marker line to the file if it doesn't exist.

- name: Find first 'Match' line in sshd_config (if it exists)
  shell: "grep '^Match' /etc/ssh/sshd_config || echo 'EOF'"
  register: sshd_match_check
  changed_when: False
  check_mode: no
  tags:
    - always
    - sshd

- name: Copy login warning banner
  copy:
    content: "{{ security_login_banner_text }}"
    dest: "{{ security_sshd_banner_file }}"
    owner: root
    group: root
  tags:
    - high
    - sshd
    - V-71861
    - V-72225

- name: Adjust ssh server configuration based on STIG requirements
  blockinfile:
    dest: /etc/ssh/sshd_config
    state: present
    marker: "# {mark} MANAGED BY OPENSTACK-ANSIBLE-SECURITY"
    insertbefore: "{{ sshd_match_check.stdout_lines[0] }}"
    validate: '/usr/sbin/sshd -T -f %s'
    block: "{{ lookup('template', 'sshd_config_block.j2') }}"
  notify:
    - restart ssh
  tags:
    - high
    - sshd
    - V-71939
    - V-71957
    - V-71959
    - V-72221
    - V-72225
    - V-72237
    - V-72241
    - V-72245
    - V-72247
    - V-72249
    - V-72243
    - V-72243
    - V-72303
    - V-72251
    - V-72253
    - V-72265
    - V-72267
    - V-72261
    - V-72263

- name: Ensure sshd is enabled at boot time
  service:
    name: "{{ ssh_service }}"
    enabled: yes
  when:
    - security_enable_sshd | bool
  tags:
    - medium
    - sshd
    - V-72235

- name: Public host key files must have mode 0644 or less
  file:
    path: "{{ item }}"
    mode: "u-xX,g-wxs,o-wxt"
  with_fileglob:
    - /etc/ssh/*.pub
  tags:
    - medium
    - sshd
    - V-72255

- name: Private host key files must have mode 0600 or less
  file:
    path: "{{ item }}"
    mode: "u-xX,g-rwxs,o-rwxt"
  with_fileglob:
    - /etc/ssh/*_key
  tags:
    - medium
    - sshd
    - V-72257