---
# handlers file for RHEL7-CIS

- name: sysctl flush ipv4 route table
  become: yes
  sysctl:
      name: net.ipv4.route.flush
      value: 1
      sysctl_set: yes
  when: ansible_virtualization_type != "docker"

- name: sysctl flush ipv6 route table
  become: yes
  sysctl:
      name: net.ipv6.route.flush
      value: 1
      sysctl_set: yes
  when: ansible_virtualization_type != "docker"

- name: systemd restart tmp.mount
  become: yes
  systemd:
      name: tmp.mount
      daemon_reload: yes
      enabled: yes
      masked: no
      state: reloaded

- name: systemd restart var-tmp.mount
  become: yes
  systemd:
      name: var-tmp.mount
      daemon_reload: yes
      enabled: yes
      masked: no
      state: reloaded

- name: generate new grub config
  become: yes
  command: grub2-mkconfig -o "{{ grub_cfg.stat.lnk_source }}"

# - name: restart firewalld
#   become: yes
#   service:
#       name: firewalld
#       state: restarted

- name: restart xinetd
  become: yes
  service:
      name: xinetd
      state: restarted

- name: restart sshd
  debug:
      msg: "checking /etc/ssh/sshd_config first"
  changed_when: true
  notify:
      - generate host keys
      - check sshd configuration
      - restart sshd - after config check

- name: generate host keys
  command: '/usr/bin/ssh-keygen -A'
  register: ssh_host_keys

- name: check sshd configuration
  command: '/usr/sbin/sshd -t'
  register: sshd_config
  changed_when: "sshd_config.rc != 0"

- name: restart sshd - after config check
  service:
      name: sshd
      state: restarted

- name: reload dconf
  become: yes
  command: dconf update

- name: restart auditd
  command: /sbin/service auditd restart
  changed_when: no
  check_mode: no
  failed_when: no
  args:
      warn: no
  when:
      - not rhel7cis_skip_for_travis
  tags:
      - skip_ansible_lint

- name: grub2cfg
  command: /sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
  ignore_errors: True