---

- name: Writing the tmp file | tmp_systemd
  when:
    - "'/tmp' in mount_names"
    - item.mount == "/tmp"
    - tmp_mnt_type == 'tmp_systemd'
  ansible.builtin.template:
    src: etc/systemd/system/tmp.mount.j2
    dest: /etc/systemd/system/tmp.mount
    owner: root
    group: root
    mode: '0644'
  with_items:
    - "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
  listen: Writing and remounting tmp

- name: Writing the tmp file | fstab
  when:
    - "'/tmp' in mount_names"
    - tmp_mnt_type == 'fstab'
    - item.mount == "/tmp"
  ansible.posix.mount:
    path: /tmp
    src: "{{ item.device }}"
    state: present
    fstype: "{{ item.fstype }}"
    opts: defaults,{{ tmp_partition_mount_options | unique | join(',') }}
  with_items:
    - "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
  listen: Writing and remounting tmp

- name: Update_Initramfs
  ansible.builtin.shell: update-initramfs -u
  notify: Set_reboot_required

- name: Remount tmp
  ansible.posix.mount:
    path: /tmp
    state: remounted
  when:
    - "'/tmp' in mount_names"
  listen: Writing and remounting tmp

- name: Remount var
  ansible.posix.mount:
    path: /var
    state: remounted

- name: Remount var_tmp
  ansible.posix.mount:
    path: /var/tmp
    state: remounted

- name: Remount var_log
  ansible.posix.mount:
    path: /var/log
    state: remounted

- name: Remount var_log_audit
  ansible.posix.mount:
    path: /var/log/audit
    state: remounted

- name: Remount home
  ansible.posix.mount:
    path: /home
    state: remounted

- name: Remount dev_shm
  ansible.posix.mount:
    path: /dev/shm
    src: /dev/shm
    state: remounted

- name: Grub update
  ansible.builtin.shell: update-grub
  failed_when: false
  notify: Set_reboot_required

- name: Restart timeservice
  ansible.builtin.systemd:
    name: "{{ ubtu24cis_time_sync_tool }}"
    state: restarted

- name: Reload systemctl
  ansible.builtin.systemd:
    daemon_reload: true

- name: Update dconf
  ansible.builtin.shell: dconf update
  failed_when: false

- name: Restart postfix
  ansible.builtin.service:
    name: postfix
    state: restarted

- name: Restart syslog service
  ansible.builtin.systemd:
    name: "{{ ubtu24cis_syslog_service }}"
    state: restarted

- name: Restart journald
  ansible.builtin.systemd:
    name: systemd-journald
    state: restarted

- name: Restart exim4
  ansible.builtin.systemd:
    name: exim4
    state: restarted

- name: Flush ipv4 route table
  when: ansible_facts.virtualization_type != "docker"
  ansible.posix.sysctl:
    name: net.ipv4.route.flush
    value: '1'
    sysctl_set: true

- name: Flush ipv6 route table
  when:
    - ansible_facts.virtualization_type != "docker"
    - ubtu24cis_ipv6_required
  ansible.posix.sysctl:
    name: net.ipv6.route.flush
    value: '1'
    sysctl_set: true

- name: Reload ufw
  community.general.ufw:
    state: reloaded

- name: Iptables persistent
  ansible.builtin.shell: bash -c "iptables-save > /etc/iptables/rules.v4"
  changed_when: ubtu24cis_iptables_save.rc == 0
  failed_when: ubtu24cis_iptables_save.rc > 0
  register: ubtu24cis_iptables_save

- name: Ip6tables persistent
  ansible.builtin.shell: bash -c "ip6tables-save > /etc/iptables/rules.v6"
  changed_when: ubtu24cis_ip6tables_save.rc == 0
  failed_when: ubtu24cis_ip6tables_save.rc > 0
  register: ubtu24cis_ip6tables_save

- name: Pam_auth_update_pwunix
  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwunix_file }}

- name: Pam_auth_update_pwfaillock
  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_file }}

- name: Pam_auth_update_pwfaillock_notify
  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_faillock_notify_file }}

- name: Pam_auth_update_pwquality
  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwquality_file }}

- name: Pam_auth_update_pwhistory
  ansible.builtin.shell: pam-auth-update --enable {{ ubtu24cis_pam_pwhistory_file }}

- name: Auditd rules reload
  when:
    - not prelim_auditd_immutable_check or
      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
  ansible.builtin.shell: augenrules --load

- name: Audit_immutable_fact
  when:
    - audit_rules_updated.changed
    - auditd_immutable_check is defined
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Set_reboot_required

- name: Restart auditd
  when:
    - audit_rules_updated is defined
  tags:
    - skip_ansible_lint
  ansible.builtin.shell: service auditd restart

- name: Restart sshd
  ansible.builtin.systemd:
    name: ssh
    state: restarted

- name: Set_reboot_required
  ansible.builtin.set_fact:
    change_requires_reboot: true