---
- hosts: all
  vars:
    __sshd_test_backup_files:
      - /etc/ssh/sshd_config
      - /etc/ssh/sshd_config.d/00-ansible_system_role.conf
      - /tmp/missing_ssh_host_rsa_key
  tasks:
    - name: "Backup configuration files"
      ansible.builtin.include_tasks: tasks/backup.yml

    - name: Configure sshd with missing host keys and prevent their creation
      block:
        - name: Configure missing hostkey
          ansible.builtin.include_role:
            name: ansible-sshd
          vars:
            sshd_verify_hostkeys: []
            sshd:
              HostKey:
                - /tmp/missing_ssh_host_rsa_key
          register: role_result

        - name: unreachable task
          ansible.builtin.fail:
            msg: UNREACH

      rescue:
        - name: Check that we failed in the role
          ansible.builtin.assert:
            that:
              - ansible_failed_result.msg != 'UNREACH'
              - not role_result.changed
            msg: "Role has not failed when it should have"
      when:
        - ansible_facts['os_family'] != 'Debian'
        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')
      tags: tests::verify

    - name: Make sure the key was not created
      ansible.builtin.file:
        path: /tmp/missing_ssh_host_rsa_key
        state: absent
      register: key
      failed_when: key.changed
      tags: tests::verify

    - name: Make sure service is still running
      ansible.builtin.service:
        name: sshd
        state: started
      register: result
      failed_when: result.changed
      tags: tests::verify
      when:
        - not (ansible_facts['os_family'] == 'RedHat' and ansible_facts['distribution_major_version'] == '6')

    - name: "Restore configuration files"
      ansible.builtin.include_tasks: tasks/restore.yml