---

- name: include SELinux package tasks for EL (CentOS/RHEL)
  include_tasks: centos-selinux.yml
  when: (ansible_distribution in ["CentOS" , "Red Hat Enterprise Linux", "RedHat"])

- name: include SELinux package tasks for Fedora (non-atomic)
  include_tasks: fedora-selinux.yml
  when: (ansible_distribution in ["Fedora"] and not is_atomic)

# likely to break on non-RHEL/derivatives, could use improvement.
- name: enable firewalld
  service:
    name: firewalld
    state: started
    enabled: yes

- name: SSH - disable password auth
  lineinfile:
    dest: /etc/ssh/sshd_config 
    regexp: "^PasswordAuthentication" 
    line: "PasswordAuthentication no"
    state: present
  notify: restart sshd

- name: SSH - config port 1181
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^Port '
    line: 'Port 1181'
    insertbefore: "(^|#)AddressFamily.*"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: restart sshd

- name: allow custom SSH port in selinux
  seport:
    ports: 1181
    proto: tcp
    setype: ssh_port_t
    state: present
  when: (ansible_selinux is defined and ansible_selinux != False and ansible_selinux.status == 'enabled')

# also likely to break on non-RHEL/derivatives, could use improvement too.
- name: allow custom SSH port in firewalld
  firewalld:
    port: 1181/tcp
    permanent: yes
    immediate: yes
    state: enabled