---
# handlers file for RHEL9-CIS

- name: sysctl flush ipv4 route table
  become: true
  sysctl:
      name: net.ipv4.route.flush
      value: '1'
      sysctl_set: true
  ignore_errors: true
  when: ansible_virtualization_type != "docker"
  tags:
      - skip_ansible_lint

- name: sysctl flush ipv6 route table
  become: true
  sysctl:
      name: net.ipv6.route.flush
      value: '1'
      sysctl_set: true
  when: ansible_virtualization_type != "docker"

- name: update sysctl
  template:
      src: "etc/sysctl.d/{{ item }}.j2"
      dest: "/etc/sysctl.d/{{ item }}"
      owner: root
      group: root
      mode: 0600
  notify: reload sysctl
  with_items:
      - 60-kernel_sysctl.conf
      - 60-disable_ipv6.conf
      - 60-netipv4_sysctl.conf
      - 60-netipv6_sysctl.conf
  when:
      - ansible_virtualization_type != "docker"
      - "'procps-ng' in ansible_facts.packages"

- name: reload sysctl
  sysctl:
      name: net.ipv4.route.flush
      value: '1'
      state: present
      reload: true
      ignoreerrors: true
  when:
      - ansible_virtualization_type != "docker"
      - "'systemd' in ansible_facts.packages"

- name: systemd restart tmp.mount
  become: true
  systemd:
      name: tmp.mount
      daemon_reload: true
      enabled: true
      masked: false
      state: reloaded

- name: systemd restart var-tmp.mount
  become: true
  systemd:
      name: var-tmp.mount
      daemon_reload: true
      enabled: true
      masked: false
      state: reloaded

- name: remount tmp
  shell: mount -o remount /tmp
  args:
      warn: false

- name: restart firewalld
  become: true
  service:
      name: firewalld
      state: restarted

- name: restart sshd
  become: true
  service:
      name: sshd
      state: restarted

- name: restart postfix
  become: true
  service:
      name: postfix
      state: restarted

- name: reload dconf
  become: true
  shell: dconf update
  args:
      warn: false

- name: update auditd
  template:
      src: audit/99_auditd.rules.j2
      dest: /etc/audit/rules.d/99_auditd.rules
      owner: root
      group: root
      mode: 0600
  notify: restart auditd

- name: restart auditd
  shell: /sbin/service auditd restart
  changed_when: false
  check_mode: false
  failed_when: false
  args:
      warn: false
  tags:
      - skip_ansible_lint

- name: grub2cfg
  shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
  args:
      warn: false
  ignore_errors: True
  tags:
      - skip_ansible_lint

- name: restart rsyslog
  become: true
  service:
      name: rsyslog
      state: restarted

- name: restart journald
  service:
      name: systemd-journald
      state: restarted

- name: restart systemd_journal_upload
  service:
      name: systemd-journal-upload
      state: restarted

- name: systemd_daemon_reload
  systemd:
      daemon-reload: true

- name: change_requires_reboot
  set_fact:
      change_requires_reboot: true