---
- name: Group hosts by platform
  hosts: all
  tags:
    - always
  pre_tasks:
    - include_tasks: tasks/meta/runtime-group-determination.yaml


- name: Bootstrap remote ansible environment
  hosts: linux
  tags:
    - always
  tasks:
    - name: Install CentOS 8 python bindings
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.dnf:
        state: present
        name:
          - python3-libselinux
          - python3-policycoreutils
          - python3-firewall

    - name: Create state directory
      become: true
      ansible.builtin.file:
        path: "{{ skylab_state_dir }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: 0755

    - name: Create bootstrap virtualenv
      ansible.builtin.command:
        cmd: "{{ ansible_python_interpeter | default(discovered_interpreter_python) }} -m venv {{ skylab_ansible_venv }} --system-site-packages"
        creates: "{{ skylab_ansible_venv }}/bin/python"

    - name: Pin bootstrap virtualenv pip
      ansible.builtin.pip:
        executable: "{{ skylab_ansible_venv }}/bin/pip"
        name: pip
        state: present
        version: "{{ skylab_pip_version }}"

    - name: Copy requirements file to remote
      ansible.builtin.copy:
        src: remote-requirements.txt
        dest: "{{ skylab_ansible_venv }}/requirements.txt"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: 0644

    - name: Install remote requirements
      ansible.builtin.pip:
        executable: "{{ skylab_ansible_venv }}/bin/pip"
        requirements: "{{ skylab_ansible_venv }}/requirements.txt"
        state: present


- name: Configure common server settings
  hosts: linux
  vars_files:
    - vars/packages.yaml
  tasks:
    - name: Set hostname
      become: true
      ansible.builtin.hostname:
        name: "{{ inventory_hostname }}"
        use: systemd

    - name: Install EPEL repository config
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.yum_repository:
        name: epel
        description: Extra Packages for Enterprise Linux
        baseurl: https://download.fedoraproject.org/pub/epel/$releasever{{ '/Everything' if ansible_distribution_major_version == '8' else '' }}/$basearch/

    - name: Install EPEL GPG key
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.rpm_key:
        state: present
        key: https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}

    - name: Disable sudo password for WHEEL group
      when: ansible_distribution == "Rocky" or ansible_distribution == "CentOS"
      become: true
      ansible.builtin.copy:
        src: wheel-group-no-sudo-password
        dest: /etc/sudoers.d/30-wheel
        owner: root
        group: "{{ ansible_user }}"
        mode: 0644

    - name: Install global bash config
      become: true
      ansible.builtin.copy:
        src: global.sh
        dest: /etc/profile.d/ZZ-skylab-global.sh
        owner: root
        group: "{{ ansible_user }}"
        mode: 0644

    - name: Install universal packages
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.dnf:
        name: "{{ skylab_packages_global + skylab_packages_rocky }}"
        state: present


- name: Configure SSH
  hosts: linux
  handlers:
    - name: restart-sshd
      become: true
      ansible.builtin.systemd:
        name: sshd
        state: restarted
  tasks:
    - name: Configure SSH authentication settings
      become: true
      ansible.builtin.replace:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regex }}"
        replace: "{{ item.value }}"
      notify: [restart-sshd]
      loop:
        - name: disable root login
          regex: "^.*PermitRootLogin (yes|no).*$"
          value: PermitRootLogin no
        - name: disable password auth
          regex: "^.*PasswordAuthentication (yes|no).*$"
          value: PasswordAuthentication no
        - name: disable challenge response auth
          regex: "^.*ChallengeResponseAuthentication (yes|no).*$"
          value: ChallengeResponseAuthentication no
        - name: disable GSSAPI auth
          regex: "^.*GSSAPIAuthentication (yes|no).*$"
          value: GSSAPIAuthentication no
      loop_control:
        label: "{{ item.name }}"

    - name: Disable dynamic MOTD on debian systems
      when: ansible_os_family == "Debian"
      ansible.builtin.replace:
        path: /etc/pam.d/sshd
        regexp: "^session    optional     pam_motd.so  motd=/run/motd.dynamic"
        replace: "#session    optional     pam_motd.so  motd=/run/motd.dynamic"

    - name: Disable Cockpit activation message on Rocky
      when: ansible_distribution == "Rocky"
      become: true
      ansible.builtin.file:
        path: /etc/motd.d/cockpit
        state: absent

    - name: Copy MOTD to remote
      become: true
      ansible.builtin.template:
        src: motd.j2
        dest: /etc/motd
        mode: 0644


- import_playbook: update.yaml