---

- name: chmod 700 /root
  file:
    path: /root
    state: directory
    mode: "0700"
  when: evolinux_root_chmod | bool

- name: "Customize root's bashrc..."
  lineinfile:
    dest: /root/.bashrc
    line: "{{ item }}"
    create: yes
    state: present
  loop:
    - "export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoreboth,erasedups"
    - "export HISTSIZE=65535"
    - "export HISTTIMEFORMAT=\"%c : \""
    - "shopt -s histappend"
    - "PROMPT_COMMAND=\"history -a;${PROMPT_COMMAND}\""
  when: evolinux_root_bashrc | bool

## .bash_history should be append-only

- name: Create .bash_history if missing
  copy:
    content: ""
    dest: "/root/.bash_history"
    force: no
  when: evolinux_root_bash_history | bool

- name: Set umask in /root/.profile
  lineinfile:
    dest: "/root/.profile"
    line: "umask 0077"
    regexp: "umask [0-9]+"
  when: evolinux_root_umask | bool

- name: "/usr/share/scripts is present in root's PATH"
  lineinfile:
    dest: "/root/.profile"
    line: "PATH=\"${PATH}:/usr/share/scripts\""
  when: ansible_distribution_major_version is version('10', '>=')

- name: Custom git config for root
  copy:
    src: root/gitconfig
    dest: "/root/.gitconfig"
    force: no
  when: evolinux_root_gitconfig | bool

- name: Is .bash_history append-only
  shell: lsattr /root/.bash_history | grep -E "^.*a.* "
  check_mode: no
  register: bash_history_append_only
  failed_when: "'Inappropriate ioctl' in bash_history_append_only.stderr"
  ignore_errors: yes
  changed_when: False

- name: Set .bash_history append-only
  command: chattr +a /root/.bash_history
  when:
  - evolinux_root_bash_history_appendonly | bool
  - bash_history_append_only.rc != 0
  - "'Inappropriate ioctl' not in bash_history_append_only.stderr"

- name: Setting vim as selected-editor
  lineinfile:
    dest: /root/.selected_editor
    regexp: '^SELECTED_EDITOR='
    line: "SELECTED_EDITOR=\"/usr/bin/vim.basic\""
    create: yes
  when: evolinux_root_vim_default | bool

- name: Setting vim root configuration
  lineinfile:
    dest: /root/.vimrc
    line: "{{ item }}"
    create: yes
    state: present
  loop:
    - "syntax on"
    - "set background=dark"
    - "set expandtab"
    - "set tabstop=4"
    - "set softtabstop=4"
    - "set shiftwidth=4"
  when: evolinux_root_vim_conf | bool

- name: disable SSH access for root
  replace:
    dest: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin (yes|without-password|prohibit-password)'
    replace: "PermitRootLogin no"
    validate: '/usr/sbin/sshd -t -f %s'
  notify: reload sshd
  when: evolinux_root_disable_ssh | bool

### Disabled : it seems useless and too dangerous for now
# - name: remove root from AllowUsers directive
#   replace:
#     dest: /etc/ssh/sshd_config
#     regexp: '^(AllowUsers ((?!root(?:@\S+)?).)*)(\sroot(?:@\S+)?|root(?:@\S+)?\s)(.*)$'
#     replace: '\1\4'
#     validate: '/usr/sbin/sshd -T -f %s'
#   notify: reload sshd
#   when: evolinux_root_disable_ssh

- meta: flush_handlers