---
# handlers file for RHEL9-CIS

- name: sysctl flush ipv4 route table
  become: yes
  sysctl:
      name: net.ipv4.route.flush
      value: '1'
      sysctl_set: yes
  ignore_errors: yes
  when: ansible_virtualization_type != "docker"
  tags:
      - skip_ansible_lint

- name: sysctl flush ipv6 route table
  become: yes
  sysctl:
      name: net.ipv6.route.flush
      value: '1'
      sysctl_set: yes
  when: ansible_virtualization_type != "docker"

- name: update sysctl
  template:
      src: etc/99-sysctl.conf.j2
      dest: /etc/sysctl.d/99-sysctl.conf
      owner: root
      group: root
      mode: 0600
  notify: reload sysctl
  when: ansible_virtualization_type != "docker"

- name: reload sysctl
  sysctl:
    name: net.ipv4.route.flush
    value: '1'
    state: present
    reload: yes
    ignoreerrors: yes
  when: ansible_virtualization_type != "docker"

- name: systemd restart tmp.mount
  become: yes
  systemd:
      name: tmp.mount
      daemon_reload: yes
      enabled: yes
      masked: no
      state: reloaded

- name: systemd restart var-tmp.mount
  become: yes
  systemd:
      name: var-tmp.mount
      daemon_reload: yes
      enabled: yes
      masked: no
      state: reloaded

- name: remount tmp
  command: mount -o remount /tmp
  args:
      warn: false

- name: restart firewalld
  become: yes
  service:
      name: firewalld
      state: restarted

- name: restart xinetd
  become: yes
  service:
      name: xinetd
      state: restarted

- name: restart sshd
  become: yes
  service:
      name: sshd
      state: restarted

- name: restart postfix
  become: yes
  service:
      name: postfix
      state: restarted

- name: reload dconf
  become: yes
  command: dconf update

- name: update auditd
  template:
      src: audit/99_auditd.rules.j2
      dest: /etc/audit/rules.d/99_auditd.rules
      owner: root
      group: root
      mode: 0600
  notify: restart auditd

- name: restart auditd
  command: /sbin/service auditd restart
  changed_when: no
  check_mode: no
  failed_when: no
  args:
      warn: no
  when:
      - not rhel9cis_skip_for_travis
  tags:
      - skip_ansible_lint

- name: grub2cfg
  command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
  ignore_errors: True
  tags:
      - skip_ansible_lint

- name: restart rsyslog
  become: yes
  service:
      name: rsyslog
      state: restarted

- name: restart syslog-ng
  become: yes
  service:
      name: syslog-ng
      state: restarted

- name: systemd_daemon_reload
  systemd:
      daemon-reload: yes