---
- name: Ensure required packages are installed
  package:
    name: python3-libselinux
    state: present
    cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
    update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
  become: True

- name: Check if SELinux configuration file exists
  stat:
    path: /etc/selinux/config
  register: stat_result

- name: Ensure desired SELinux state
  selinux:
    policy: "{{ selinux_policy }}"
    state: "{{ selinux_state }}"
  register: selinux_result
  vars:
    ansible_python_interpreter: /usr/bin/python3
  become: True
  when: stat_result.stat.exists

- block:
    - name: Abort SELinux configuration because reboot is disabled
      fail:
        msg: >
          SELinux state change requires a reboot, but selinux_do_reboot is
          false. Please run again with selinux_do_reboot set to true to reboot.
      when:
        - not selinux_do_reboot | bool

    - block:
        - name: Set a fact to determine whether we are running locally
          set_fact:
            is_local: "{{ lookup('pipe', 'hostname') in [ansible_facts.hostname, ansible_facts.nodename] }}"

        - name: Reboot the system to apply SELinux changes (local)
          command: shutdown -r now "Applying SELinux changes"
          become: True
          when:
            - is_local | bool

        - name: Reboot the machine to apply SELinux
          reboot:
            reboot_timeout: "{{ selinux_reboot_timeout }}"
            msg: Applying SELinux changes
          become: true
          when:
            - not is_local | bool
      when:
        - selinux_do_reboot | bool
  when:
    - stat_result.stat.exists
    - selinux_result.reboot_required