---
- name: Ensure sshd configuration exists
  ansible.builtin.stat:
    path: "{{ cis_ssh_config_path }}"
  register: cis_aix_sshd_config

- name: Fail when sshd configuration is missing
  ansible.builtin.assert:
    that:
      - cis_aix_sshd_config.stat.exists
    fail_msg: "CRITICAL: {{ cis_ssh_config_path }} was not found; refusing to manage SSH hardening."
    success_msg: "OK: {{ cis_ssh_config_path }} exists."

- name: Set sshd validation command from detected binary
  ansible.builtin.set_fact:
    cis_sshd_test_command: "{{ cis_aix_sshd_path }} -t"
  when: cis_aix_sshd_path is defined and cis_aix_sshd_path | length > 0

- name: Apply managed AIX sshd hardening block
  ansible.builtin.blockinfile:
    path: "{{ cis_ssh_config_path }}"
    marker: "# {mark} ANSIBLE MANAGED BLOCK cis-aix7-hardening"
    owner: root
    group: system
    mode: "0600"
    backup: true
    validate: "{{ cis_sshd_test_command }} -f %s"
    block: |
      PermitRootLogin {{ 'no' if cis_disable_root_login | bool else 'prohibit-password' }}
      PermitEmptyPasswords no
      PasswordAuthentication {{ 'no' if cis_disable_password_auth | bool else 'yes' }}
      MaxAuthTries {{ cis_ssh_max_auth_tries }}
      LoginGraceTime {{ cis_ssh_login_grace_time }}
      ClientAliveInterval {{ cis_ssh_client_alive_interval }}
      ClientAliveCountMax {{ cis_ssh_client_alive_count_max }}
  notify:
    - validate sshd
    - restart sshd

- name: Validate effective sshd configuration
  ansible.builtin.command: "{{ cis_sshd_test_command }}"
  changed_when: false