---
- name: Change SSH Port
  hosts: all
  become: true
  vars:
    new_ssh_port: 22233
    old_ssh_port: 22

  tasks:
    # 1. Настройка SELinux (для CentOS/RHEL/Fedora)
    - name: Check if SELinux is enabled
      command: getenforce
      register: selinux_status
      changed_when: false
      ignore_errors: true

    - name: Allow SSH on new port via SELinux
      community.general.seport:
        ports: "{{ new_ssh_port }}"
        proto: tcp
        setype: ssh_port_t
        state: present
      when: 
        - selinux_status.stdout is defined
        - selinux_status.stdout == "Enforcing"
      ignore_errors: true 
      # Игнорируем ошибки, если semanage не установлен, 
      # но лучше установить policycoreutils-python-utils заранее.

    # 2. Настройка Firewall (UFW для Ubuntu/Debian)
    - name: Open new SSH port in UFW
      community.general.ufw:
        rule: allow
        port: "{{ new_ssh_port }}"
        proto: tcp
      when: ansible_os_family == "Debian"

    # 3. Настройка Firewall (Firewalld для CentOS/RHEL)
    - name: Open new SSH port in Firewalld
      ansible.posix.firewalld:
        port: "{{ new_ssh_port }}/tcp"
        permanent: yes
        state: enabled
        immediate: yes
      when: ansible_os_family == "RedHat"

    # 4. Изменение конфигурации SSHD
    - name: Update SSH port in sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^#?Port\s+'
        line: "Port {{ new_ssh_port }}"
        state: present
        validate: '/usr/sbin/sshd -t -f %s'
      notify: Restart SSH

  handlers:
    - name: Restart SSH
      service:
        name: "{{ item }}"
        state: restarted
      loop:
        - ssh
        - sshd
      ignore_errors: true
      # Используем loop, так как в Ubuntu служба называется 'ssh', а в CentOS 'sshd'