- name: setup sshguard
  gather_facts: no
  hosts: "{{target}}"
  become: "{{become}}"
  tasks:

  - name: check sshguard is installed
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x `which sshguard` ]]"
    changed_when: false
    check_mode: false

  - name: define distro flavor
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "lsb_release -is 2>/dev/null | tr A-Z a-z || echo unknown"
    register: distro
    changed_when: false
    check_mode: false
  - debug: var=distro.stdout

  - name: define distro release
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "lsb_release -cs 2>/dev/null || echo unknown"
    register: release
    changed_when: false
    check_mode: false
  - debug: var=release.stdout

  - name: define auth_log_file for debian/ubuntu systems
    ansible.builtin.set_fact:
      auth_log_file: "/var/log/auth.log"
    when: distro.stdout == 'debian' or distro.stdout == 'ubuntu'

  - name: define auth_log_file for non-debian systems
    ansible.builtin.set_fact:
      auth_log_file: "/var/log/secure"
    when: distro.stdout != 'debian' and distro.stdout != 'ubuntu'

  - name: check auth log file is available
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -f {{auth_log_file}} ]]"
    changed_when: false
    check_mode: false

  # do not tune config on ubuntu18, keep using iptables there

  - name: config files for debian/ubuntu20-
    ansible.builtin.template:
      src: templates/sshguard_ubuntu20.conf.j2
      dest: /etc/sshguard/sshguard.conf
    notify: restart sshguard
    diff: true
    when: release.stdout == 'focal'

  - name: config files for debian/ubuntu22+
    ansible.builtin.template:
      src: templates/sshguard_ubuntu22.conf.j2
      dest: /etc/sshguard/sshguard.conf
    notify: restart sshguard
    diff: true
    when: >
      ( release.stdout == 'jammy' ) or
      ( release.stdout == 'vera' ) or
      ( release.stdout == 'bookworm' )

  - name: sshguard whitelists
    ansible.builtin.copy:
      src: templates/whitelist.{{sshg_friends}}
      dest: /etc/sshguard/whitelist
    notify: restart sshguard
    diff: true
    when: sshg_friends is defined

  #- name: config files for sbo package
  #  ansible.builtin.template:
  #    src: templates/sshguard_sbo.conf.j2
  #    dest: /etc/sshguard.conf
  #  notify: restart sshguard
  #  diff: true
  #  when: ansible_distribution == 'Slackware'

  #- name: non-systemd init script
  #  ansible.builtin.copy:
  #    src: templates/rc.sshguard
  #    dest: /etc/rc.d/rc.sshguard
  #    mode: "755"
  #  when: ansible_distribution == 'Slackware'
  #  notify: restart sshguard
  #  diff: true

  handlers:

  - name: restart sshguard
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x /lib/systemd/systemd ]] && systemctl restart sshguard.service || /etc/rc.d/rc.sshguard restart"