---

- name: "Adding options for /tmp"
  when: not ubtu24cis_tmp_svc
  vars:
    mount_point: '/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /tmp"

- name: "Remounting /tmp"
  vars:
    mount_point: '/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /tmp"

- name: "Remounting /tmp systemd"
  vars:
    mount_point: '/tmp'
  ansible.builtin.systemd:
    name: tmp.mount
    state: restarted
    daemon_reload: true
  listen: "Remount /tmp"

- name: "Adding options for /dev/shm"
  vars:
    mount_point: '/dev/shm'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /dev/shm"

- name: "Remounting /dev/shm"
  vars:
    mount_point: '/dev/shm'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /dev/shm"

- name: "Adding options for /home"
  vars:
    mount_point: '/home'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /home"

- name: "Remounting /home"
  vars:
    mount_point: '/home'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /home"

- name: "Adding options for /var"
  vars:
    mount_point: '/var'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var"

- name: "Remounting /var"
  vars:
    mount_point: '/var'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var"

- name: "Adding options for /var/tmp"
  vars:
    mount_point: '/var/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var/tmp"

- name: "Remounting /var/tmp"
  vars:
    mount_point: '/var/tmp'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var/tmp"

- name: "Adding options for /var/log"
  vars:
    mount_point: '/var/log'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var/log"

- name: "Remounting /var/log"
  vars:
    mount_point: '/var/log'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var/log"

- name: "Adding options for /var/log/audit"
  vars:
    mount_point: '/var/log/audit'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    src: "{{ prelim_mount_point_fs_and_options[mount_point]['src'] }}"
    state: present
    fstype: "{{ prelim_mount_point_fs_and_options[mount_point]['fs_type'] }}"
    opts: "{{ prelim_mount_point_fs_and_options[mount_point]['options'] | unique | join(',') }}"
  listen: "Remount /var/log/audit"

- name: "Remounting /var/log/audit"
  vars:
    mount_point: '/var/log/audit'
  ansible.posix.mount:
    path: "{{ mount_point }}"
    state: remounted
  listen: "Remount /var/log/audit"

- name: Update_Initramfs
  ansible.builtin.command: update-initramfs -u
  changed_when: true
  notify: Set_reboot_required

- name: Grub update
  ansible.builtin.command: update-grub
  changed_when: true
  failed_when: false
  notify: Set_reboot_required

- name: Restart timeservice
  ansible.builtin.systemd:
    name: "{{ ubtu24cis_time_sync_tool }}"
    state: restarted

- name: Reload systemctl
  ansible.builtin.systemd:
    daemon_reload: true

- name: Update dconf
  ansible.builtin.command: dconf update
  changed_when: true
  failed_when: false

- name: Restart postfix
  ansible.builtin.service:
    name: postfix
    state: restarted

- name: Restart syslog service
  ansible.builtin.systemd:
    name: "{{ ubtu24cis_syslog_service }}"
    state: restarted

- name: Restart journald
  ansible.builtin.systemd:
    name: systemd-journald
    state: restarted

- name: Restart exim4
  ansible.builtin.systemd:
    name: exim4
    state: restarted

- name: Flush ipv4 route table
  when: ansible_facts.virtualization_type != "docker"
  ansible.posix.sysctl:
    name: net.ipv4.route.flush
    value: '1'
    sysctl_set: true

- name: Flush ipv6 route table
  when:
    - ansible_facts.virtualization_type != "docker"
    - ubtu24cis_ipv6_required
  ansible.posix.sysctl:
    name: net.ipv6.route.flush
    value: '1'
    sysctl_set: true

- name: Reload ufw
  community.general.ufw:
    state: reloaded

- name: Iptables persistent
  ansible.builtin.command: bash -c "iptables-save > /etc/iptables/rules.v4"
  changed_when: true

- name: Ip6tables persistent
  ansible.builtin.command: bash -c "ip6tables-save > /etc/iptables/rules.v6"
  changed_when: true

- name: Pam_auth_update_pwunix
  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}
  changed_when: true

- name: Pam_auth_update_pwfaillock
  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}
  changed_when: true

- name: Pam_auth_update_pwfaillock_notify
  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}
  changed_when: true

- name: Pam_auth_update_pwquality
  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}
  changed_when: true

- name: Pam_auth_update_pwhistory
  ansible.builtin.command: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}
  changed_when: true

- name: Auditd rules reload
  when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
  ansible.builtin.command: augenrules --load
  changed_when: true
  failed_when: discovered_augenrule_load.rc not in [ 0, 1 ]
  register: discovered_augenrule_load

- name: Audit_immutable_fact
  when:
    - discovered_audit_rules_updated.changed
    - auditd_immutable_check is defined
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Set_reboot_required

- name: Stop auditd process
  ansible.builtin.command: systemctl kill auditd
  changed_when: true
  listen: Restart auditd

- name: Start auditd process
  ansible.builtin.system:
    name: auditd
    state: started
  listen: Restart auditd

- name: Restart sshd
  ansible.builtin.systemd:
    name: ssh
    state: restarted

- name: Set_reboot_required
  ansible.builtin.set_fact:
    change_requires_reboot: true