---
# Copyright 2020, VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Cleanup gate images
  hosts: all
  become: yes
  become_user: root
  tasks:
    - name: Switch apt source from https to http
      replace:
        path: /etc/apt/sources.list
        regexp: 'https'
        replace: "http"
      when:
        - ansible_facts['distribution_release'] in ['jammy']

    - name: Remove package excludes for yum/dnf
      lineinfile:
        dest: '/etc/dnf/dnf.conf'
        regexp: "^exclude="
        state: absent
      when: ansible_pkg_mgr == 'dnf'

    - name: Adjust ssh server configuration based on STIG requirements
      vars:
        sshd_settings:
          - name: GSSAPIAuthentication
            value: "no"
          - name: KerberosAuthentication
            value: "no"
          - name: PasswordAuthentication
            value: "no"
      blockinfile:
        dest: /etc/ssh/sshd_config
        state: present
        marker: "# {mark} MANAGED BY PRE-OSA step"
        insertbefore: "BOF"
        validate: '/usr/sbin/sshd -T -f %s'
        block: |-
          {% for option in sshd_settings %}
          {{ option['name'] ~ ' ' ~ option['value'] }}
          {% endfor %}
      notify:
        - Restart ssh

    - name: Remove motd from pam.d
      lineinfile:
        path: /etc/pam.d/sshd
        regexp: '^(session\s*optional\s*pam_motd.so.*)$'
        line: '# \1'
        backrefs: yes

  handlers:
    - name: Restart ssh
      service:
        name: "sshd"
        state: restarted