---
- name: Test OS default settings
  hosts: all
  vars:
    __sshd_test_backup_files:
      - /etc/ssh/sshd_config
      - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
      - /etc/ssh/ssh_host_rsa_key
      - /etc/ssh/ssh_host_rsa_key.pub

  tasks:
    - name: Backup configuration files
      ansible.builtin.include_tasks: tasks/backup.yml

    - name: Show effective configuration before running role (system defaults)
      ansible.builtin.shell: |
        set -eu
        if set -o | grep pipefail 2>&1 /dev/null ; then
          set -o pipefail
        fi
        if test ! -f /etc/ssh/ssh_host_rsa_key; then
          ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
        fi
        sshd -T
      register: runtime_before
      changed_when: false

    - name: Configure sshd
      ansible.builtin.include_role:
        name: ansible-sshd
        public: true

    - name: Show effective configuration after running role (role defaults)
      ansible.builtin.command: sshd -T
      register: runtime_after
      changed_when: false

    - name: Check that the effective configuration did not change from OS defaults
      ansible.builtin.assert:
        that:
          - runtime_before.stdout == runtime_after.stdout
      when:
        # RHEL6/CentOS6 images have modified sshd_config, different from what is in rpm package
        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')

    - name: Read drop in directory mode
      ansible.builtin.stat:
        path: "{{ __sshd_defaults.Include | dirname }}"
      register: drop_in_dir_stat
      when: __sshd_defaults.Include is defined

    - name: Check drop in directory mode has not changed
      ansible.builtin.assert:
        that:
          - drop_in_dir_stat.stat.mode == __sshd_drop_in_dir_mode
      when: __sshd_defaults.Include is defined

    - name: Restore configuration files
      ansible.builtin.include_tasks: tasks/restore.yml