---
# tasks file for hardening-basic

- name: Basic Hardening
  block:
    - name: Create and copy hardening files
      ansible.builtin.template:
        src: '{{ item.src }}'
        dest: '/etc/{{ item.path }}'
      with_community.general.filetree: '../templates/basic/etc/'
      when: item.state == 'file'

    - name: Harden SSH Config
      when: 'hardening_sshd_enabled is true'
      block:
        - name: Create and copy hardening files
          ansible.builtin.template:
            src: '{{ item.src }}'
            dest: '/etc/{{ item.path }}'
          with_community.general.filetree: '../templates/ssh/etc/'
          when: item.state == 'file'

        - name: Give 1700 permissions to .ssh folder
          ansible.builtin.file:
            path: /root/.ssh
            owner: root
            group: root
            mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}700"

        - name: Give 1600 permissions to .ssh/authorized_keys file
          ansible.builtin.file:
            path: /root/.ssh/authorized_keys
            owner: root
            group: root
            mode: "{{ '1' if hardening_sshd_permissions_set_sticky_bit }}600"

        - name: Restart sshd
          when: "is_docker is not true"
          ansible.builtin.systemd:
            state: restarted
            name: sshd

    - name: Harden Service Manager (like Systemd)
      block:
        - include_tasks: "harden_{{ ansible_service_mgr }}.yml"