---
# handlers file for RHEL9-CIS

- name: "Adding options for /tmp"
  when: not rhel9cis_tmp_svc
  vars:
    mount_point: '/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /tmp"

- name: "Remounting /tmp"
  vars:
    mount_point: '/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /tmp"

- name: "Remounting /tmp systemd"
  vars:
    mount_point: '/tmp'
  ansible.builtin.systemd:
    name: tmp.mount
    state: restarted
    daemon_reload: true
  listen: "Remount /tmp"

- name: "Adding options for /dev/shm"
  vars:
    mount_point: '/dev/shm'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /dev/shm"

- name: "Remounting /dev/shm"
  vars:
    mount_point: '/dev/shm'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /dev/shm"

- name: "Adding options for /home"
  vars:
    mount_point: '/home'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /home"

- name: "Remounting /home"
  vars:
    mount_point: '/home'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /home"

- name: "Adding options for /var"
  vars:
    mount_point: '/var'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var"

- name: "Remounting /var"
  vars:
    mount_point: '/var'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var"

- name: "Adding options for /var/tmp"
  vars:
    mount_point: '/var/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var/tmp"

- name: "Remounting /var/tmp"
  vars:
    mount_point: '/var/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var/tmp"

- name: "Adding options for /var/log"
  vars:
    mount_point: '/var/log'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var/log"

- name: "Remounting /var/log"
  vars:
    mount_point: '/var/log'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var/log"

- name: "Adding options for /var/log/audit"
  vars:
    mount_point: '/var/log/audit'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var/log/audit"

- name: "Remounting /var/log/audit"
  vars:
    mount_point: '/var/log/audit'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var/log/audit"

- name: Reload sysctl
  ansible.builtin.command: sysctl --system
  changed_when: true

- name: Sysctl flush ipv4 route table
  when:
    - rhel9cis_flush_ipv4_route
    - not system_is_container
  ansible.posix.sysctl:
    name: net.ipv4.route.flush
    value: '1'
    sysctl_set: true
  ignore_errors: true  # noqa ignore-errors

- name: Sysctl flush ipv6 route table
  when:
    - rhel9cis_flush_ipv6_route
    - not system_is_container
  ansible.posix.sysctl:
    name: net.ipv6.route.flush
    value: '1'
    sysctl_set: true

- name: Systemd restart tmp.mount
  ansible.builtin.systemd:
    name: tmp.mount
    daemon_reload: true
    enabled: true
    masked: false
    state: reloaded

- name: Update Crypto Policy
  ansible.builtin.set_fact:
    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}{{ rhel9cis_crypto_policy_module }}{% endif %}"
  notify: Set Crypto Policy

- name: Set Crypto Policy
  when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
  ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
  changed_when: true
  notify:
    - Change_requires_reboot
    - Restart sshd

- name: Restart firewalld
  ansible.builtin.systemd:
    name: firewalld
    state: restarted

- name: Restart sshd
  ansible.builtin.systemd:
    name: sshd
    state: restarted

- name: Restart postfix
  ansible.builtin.systemd:
    name: postfix
    state: restarted

- name: Reload dconf
  ansible.builtin.command: dconf update
  changed_when: true

- name: Grub2cfg
  ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg"
  changed_when: true
  ignore_errors: true  # noqa ignore-errors

- name: Restart rsyslog
  ansible.builtin.systemd:
    name: rsyslog
    state: restarted

- name: Restart journald
  ansible.builtin.systemd:
    name: systemd-journald
    state: restarted

- name: Restart systemd_journal_upload
  ansible.builtin.systemd:
    name: systemd-journal-upload
    state: restarted

- name: Systemd daemon reload
  ansible.builtin.systemd:
    daemon-reload: true

- name: Authselect update
  ansible.builtin.command: authselect apply-changes
  changed_when: true

## Auditd tasks note order for handlers to run

- name: Auditd immutable check
  ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
  changed_when: false
  register: discovered_auditd_immutable_check

- name: Audit immutable fact
  when: discovered_auditd_immutable_check.stdout == '1'
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Change_requires_reboot

- name: Stop auditd process
  ansible.builtin.command: systemctl kill auditd
  changed_when: true
  listen: Restart auditd

- name: Start auditd process
  ansible.builtin.systemd_service:
    name: auditd
    state: started
  listen: Restart auditd

- name: Change_requires_reboot
  ansible.builtin.set_fact:
    change_requires_reboot: true