---
# handlers file for RHEL9-CIS

- name: Reload sysctl
  ansible.builtin.shell: sysctl --system

- name: Sysctl flush ipv4 route table
  when:
    - rhel9cis_flush_ipv4_route
    - not system_is_container
  ansible.posix.sysctl:
    name: net.ipv4.route.flush
    value: '1'
    sysctl_set: true
  ignore_errors: true  # noqa ignore-errors

- name: Sysctl flush ipv6 route table
  when:
    - rhel9cis_flush_ipv6_route
    - not system_is_container
  ansible.posix.sysctl:
    name: net.ipv6.route.flush
    value: '1'
    sysctl_set: true

- name: Systemd restart tmp.mount
  ansible.builtin.systemd:
    name: tmp.mount
    daemon_reload: true
    enabled: true
    masked: false
    state: reloaded

- name: Remount tmp
  ansible.posix.mount:
    path: /tmp
    state: remounted

- name: Update Crypto Policy
  ansible.builtin.set_fact:
    rhel9cis_full_crypto_policy: "{{ rhel9cis_crypto_policy }}{% if rhel9cis_crypto_policy_module | length > 0 %}:{{ rhel9cis_crypto_policy_module }}{% endif %}"
  notify: Set Crypto Policy

- name: Set Crypto Policy
  when: rhel9cis_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
  ansible.builtin.shell: |
    update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
    update-crypto-policies
  notify:
    - Change_requires_reboot
    - Restart sshd

- name: Restart firewalld
  ansible.builtin.systemd:
    name: firewalld
    state: restarted

- name: Restart sshd
  ansible.builtin.systemd:
    name: sshd
    state: restarted

- name: Restart postfix
  ansible.builtin.systemd:
    name: postfix
    state: restarted

- name: Reload dconf
  ansible.builtin.shell: dconf update

- name: Grub2cfg
  ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
  ignore_errors: true  # noqa ignore-errors

- name: Restart rsyslog
  ansible.builtin.systemd:
    name: rsyslog
    state: restarted

- name: Restart journald
  ansible.builtin.systemd:
    name: systemd-journald
    state: restarted

- name: Restart systemd_journal_upload
  ansible.builtin.systemd:
    name: systemd-journal-upload
    state: restarted

- name: Systemd daemon reload
  ansible.builtin.systemd:
    daemon-reload: true

- name: Apply_authselect
  when: not rhel9cis_rule_5_4_2
  ansible.builtin.shell: authselect apply-changes

- name: Apply_authselect
  when: rhel9cis_rule_5_4_2
  ansible.builtin.shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }} --force --backup=rhel9cis_commit_{{ ansible_date_time.epoch}}"
## Auditd tasks note order for handlers to run

- name: Auditd immutable check
  ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
  changed_when: false
  register: auditd_immutable_check

- name: Audit immutable fact
  when:
    - auditd_immutable_check.stdout == '1'
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Change_requires_reboot

- name: Restart auditd
  ansible.builtin.shell: service auditd restart

- name: Change_requires_reboot
  ansible.builtin.set_fact:
    change_requires_reboot: true