---
- name: Validate ssh effective configuration syntax
  ansible.builtin.command: sshd -t
  register: cis_sshd_validate
  changed_when: false
  check_mode: false

- name: Read sysctl values for validation
  ansible.builtin.command: "sysctl -n {{ item.key }}"
  loop: "{{ cis_sysctl_settings | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  register: cis_sysctl_validation
  changed_when: false
  failed_when: false
  check_mode: false
  when:
    - cis_enable_sysctl_hardening | bool
    - not cis_container_detected | default(false) | bool

- name: Gather installed package facts
  ansible.builtin.package_facts:
    manager: auto

- name: Gather final service facts
  ansible.builtin.service_facts:

- name: Build service state summary
  ansible.builtin.set_fact:
    cis_service_state_summary:
      ssh: "{{ ansible_facts.services['ssh.service'].state | default('not-found') }}"
      chrony: "{{ ansible_facts.services['chrony.service'].state | default('not-found') }}"
      auditd: "{{ ansible_facts.services['auditd.service'].state | default('not-found') }}"
      rsyslog: "{{ ansible_facts.services['rsyslog.service'].state | default('not-found') }}"

- name: Build package validation summary
  ansible.builtin.set_fact:
    cis_package_validation_summary:
      legacy_absent: "{{ cis_legacy_packages | difference(ansible_facts.packages.keys() | list) }}"
      hardening_present: "{{ (cis_enabled_hardening_packages | default(cis_hardening_packages)) | intersect(ansible_facts.packages.keys() | list) }}"
      audit_present: "{{ cis_audit_packages | intersect(ansible_facts.packages.keys() | list) }}"

- name: Build sysctl validation summary
  ansible.builtin.set_fact:
    cis_sysctl_validation_summary: "{{ cis_sysctl_validation_summary | default({}) | combine({item.item.key: item.stdout | default('unreadable')}) }}"
  loop: "{{ cis_sysctl_validation.results | default([]) }}"
  loop_control:
    label: "{{ item.item.key }}"
  when:
    - cis_enable_sysctl_hardening | bool
    - not cis_container_detected | default(false) | bool

- name: Build mount option change summary
  ansible.builtin.set_fact:
    cis_mount_option_summary: >-
      {{
        cis_mount_option_results.results
        | default([])
        | selectattr('changed', 'defined')
        | selectattr('changed')
        | map(attribute='item.path')
        | list
      }}

- name: Publish validation summary
  ansible.builtin.set_fact:
    cis_validation_summary:
      benchmark: "CIS-inspired controls for Debian 13 Trixie and Ubuntu Server 26.04 LTS"
      sshd_config: "{{ 'OK' if cis_sshd_validate.rc == 0 else 'CRITICAL' }}"
      services: "{{ cis_service_state_summary }}"
      packages: "{{ cis_package_validation_summary }}"
      sysctl: "{{ cis_sysctl_validation_summary | default({}) }}"
      mount_option_updates: "{{ cis_mount_option_summary | default([]) }}"
      audit_rules_managed: "{{ cis_manage_audit_rules | bool }}"
      applied_controls:
        - ssh
        - packages
        - sysctl
        - services
        - audit
        - sudo
        - logging
        - filesystem

- name: Show service states
  ansible.builtin.debug:
    var: cis_service_state_summary

- name: Show package validation
  ansible.builtin.debug:
    var: cis_package_validation_summary

- name: Show changed mount options
  ansible.builtin.debug:
    msg: >-
      {{ cis_mount_option_summary | default([]) if cis_mount_option_summary | default([]) | length > 0
         else 'OK: No mount option changes were applied.' }}

- name: Show applied control summary
  ansible.builtin.debug:
    var: cis_validation_summary