From e6d6d9eed053a0e4c1f11904e77ac24ed2a43129 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 1 Dec 2024 22:20:15 +0100
Subject: [PATCH] report changed properly for "deactivate short moduli" task

This fixes the ansible-lint no-changed-when complaint and also allows to
notify the reboot handler.
---
 .../deploy_ssh_server_config/tasks/main.yaml   | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml b/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
index 714b0ca..f5d00f5 100644
--- a/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
+++ b/playbooks/roles/deploy_ssh_server_config/tasks/main.yaml
@@ -17,4 +17,20 @@
 
     - name: deactivate short moduli
       ansible.builtin.shell:
-        cmd: awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp && mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+        executable: /bin/bash
+        cmd: |
+          set -eo pipefail
+
+          awk '$5 >= 3071' /etc/ssh/moduli > /etc/ssh/moduli.tmp
+          if diff /etc/ssh/moduli /etc/ssh/moduli.tmp; then
+            rm /etc/ssh/moduli.tmp
+          else
+            mv /etc/ssh/moduli.tmp /etc/ssh/moduli
+            echo "ansible-changed: changed /etc/ssh/moduli"
+          fi
+      register: result
+      changed_when:
+        - '"ansible-changed" in result.stdout'
+      notify:
+        # Reboot instead of just restarting the ssh service, since I don't know how Ansible reacts, when it restarts the service it probably needs for the connection.
+        - reboot the system