- name: install & setup sshguard
  gather_facts: no
  hosts: "{{target}}"
  become: "{{become}}"
  tasks:

  - name: define sshguard friends file location
    ansible.builtin.set_fact:
      friends_file: "{{ '/etc/sshguard/whitelist' if system == 'debian' else '/etc/sshguard.whitelist' }}"

  - debug: var=system
    when: system != 'debian'
  - debug: var=friends_file
    when: friends_file != '/etc/sshguard/whitelist'

  - name: define sshguard backend location
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: |
        # slackware
        if [[ -x /usr/libexec/sshg-fw-nft-sets ]]; then
          echo /usr/libexec/sshg-fw-nft-sets

        # ubuntu22+
        elif [[ -x /usr/libexec/sshguard/sshg-fw-nft-sets ]]; then
          echo /usr/libexec/sshguard/sshg-fw-nft-sets

        # freebsd
        elif [[ -x /usr/local/libexec/sshg-fw-pf ]]; then
          echo /usr/local/libexec/sshg-fw-pf

        # ubuntu20
        elif [[ -x /usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets ]]; then
          echo /usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets

        else
          echo could not find any sshguard backend
          exit 1
        fi
    register: backend_path
    check_mode: false
    changed_when: false

  - debug: var=backend_path.stdout

  # no need for nftables role dependency
  - name: install packages on debian and redhat systems
    ansible.builtin.package:
      name:
        - nftables
        - sshguard
      state: present
    diff: true
    when: system == 'redhat' or system == 'debian'

  - include_tasks: incl-debian.yml
    when: system == 'debian'

  - include_tasks: incl-redhat.yml
    when: system == 'redhat'

  - include_tasks: incl-slackware.yml
    when: system == 'slackware'

  - include_tasks: incl-freebsd.yml
    when: system == 'freebsd'

  - name: initialize default whitelist
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: |
        cat > {{friends_file}} <<EOF
        127.0.0.0/8
        ::1/128

        EOF
      creates: "{{friends_file}}"

  - name: sshguard whitelist block for ngenix
    ansible.builtin.blockinfile:
      marker: "# {mark} ANSIBLE MANAGED BLOCK - nge_whitelist"
      block: "{{ lookup('file', 'blockinfile/whitelist.ngenix') }}"
      dest: "{{friends_file}}"
    notify: restart sshguard
    diff: true
    when: nge_whitelist is defined

  - name: per-host whitelist block
    ansible.builtin.blockinfile:
      marker: "# {mark} ANSIBLE MANAGED BLOCK - custom_whitelist"
      block: "{{ lookup('file', 'blockinfile/{{inventory_hostname_short}}') }}"
      dest: "{{friends_file}}"
    notify: restart sshguard
    diff: true
    when: custom_whitelist is defined

  - name: enable service on with systemd
    ansible.builtin.service:
      name: sshguard
      state: started
      enabled: true
    diff: true
    when: system == 'redhat' or system == 'debian'

  handlers:

  - name: restart sshguard with systemd
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: systemctl restart sshguard.service
    listen: restart sshguard
    when: system == 'redhat' or system == 'debian'

  - name: restart sshguard with sysv
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: pgrep sshguard && /etc/rc.d/rc.sshguard restart || /etc/rc.d/rc.sshguard start
    listen: restart sshguard
    when: system == 'slackware'

  - name: restart sshguard with bsd init
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: /etc/rc.d/sshguard restart
    listen: restart sshguard
    when: system == 'freebsd'