---
- name: Base setup
  tags:
    - base
  block:
  - name: Include vars for {{ ansible_os_family }}
    ansible.builtin.include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"

  - name: Change /bin/sh link on Ubuntu
    ansible.builtin.file:
      src: "bash"
      dest: "/bin/sh"
      owner: root
      group: root
      state: link
    when:
      - "ansible_distribution == 'Ubuntu'"

  - name: Install EPEL repo definition packages for {{ ansible_os_family }} on x86_64 and aarch64 plateform
    ansible.builtin.package:
      name: "{{ item }}"
      update_cache: true
      state: present
    with_items:
      - epel-release
    when:
      - ansible_os_family == "RedHat"
      - not ansible_distribution == "OracleLinux"
      - not ansible_machine == "armv7l"
      - not ansible_machine == "armv6l"

  - name: Install EPEL repo definition packages for OracleLinux on x86_64 and aarch64 plateform
    ansible.builtin.package:
      name: "{{ item }}"
      update_cache: true
      state: present
    with_items:
      - oracle-epel-release-el8
    when:
      - ansible_distribution == "OracleLinux"
      - not ansible_machine == "armv7l"
      - not ansible_machine == "armv6l"

  - name: Install EPEL repo definition for {{ ansible_os_family }} on ARM 32b plateform
    ansible.builtin.template:
      src: etc/yum.repos.d/epel_arm.repo.j2
      dest: /etc/yum.repos.d/epel.repo
      owner: root
      group: root
      mode: 0644
    when:
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version == '7'
      - ansible_machine == "armv7l"
#        or ansible_machine == "armv6l"

  - name: Install EPEL repo definition for {{ ansible_os_family }} on ARM 32b plateform
    ansible.builtin.yum_repository:
      name: RedSleeve-9-EPEL
      description: RedSleeve-9-EPEL
      baseurl: "http://ftp.redsleeve.org/pub/el9/Epel/"
      enabled: true
      gpgcheck: false
      repo_gpgcheck: false
      #gpgkey: "https://repomd.xml.key"
      #exclude: kubelet kubeadm kubectl
    when:
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version == '9'
      - ansible_machine == "armv7l"
        or ansible_machine == "armv6l"

  - name: Install base packages for {{ ansible_os_family }}
    ansible.builtin.package:
      name: "{{ base_packages }}"
      update_cache: true
      state: present

  - name: echo 'LANG="{{ locale }}"' > /etc/locale.conf
    ansible.builtin.template:
      src: locale.conf.j2
      dest: /etc/locale.conf
      owner: root
      group: root
      mode: 0644

#   ln -sf ../usr/share/zoneinfo/Europe/Paris /etc/localtime
  - name: timedatectl set-timezone "{{ timezone }}"; timedatectl set-local-rtc no
    timezone:
      name: "{{ timezone }}"
      hwclock: UTC

#   echo UTC >> /etc/adjtime

#   cat /etc/adjtime
#   0.0 0 0.0
#   0
#   UTC

  - name: "Configure auto update for RHEL 7 linux family"
    ansible.builtin.template:
      src: etc/yum/yum-cron.conf.j2
      dest: /etc/yum/yum-cron.conf
      owner: root
      group: root
      mode: 0644
    when:
      - base_autoupdate | bool
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version == '7'

  - name: "Configure auto update for RHEL 8/9 linux family"
    ansible.builtin.template:
      src: etc/dnf/automatic.conf.j2
      dest: /etc/dnf/automatic.conf
      owner: root
      group: root
      mode: 0644
    when:
      - base_autoupdate | bool
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version >= '8'

  - name: Enable a timer for dnf-automatic for RHEL 8/9 linux family
    ansible.builtin.systemd:
      name: dnf-automatic.timer
      state: started
      enabled: true
    when:
      - base_autoupdate | bool
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version >= '8'

# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_monitoring_and_updating_the_kernel/index#applying-patches-with-kernel-live-patching_managing-monitoring-and-updating-the-kernel
  - name: Install kpatch packages on RedHat Enterprise Linux 8/9
    ansible.builtin.package:
      name:
        - kpatch
        - kpatch-dnf
        - kpatch-patch
        - "kpatch-patch = {{ ansible_kernel }}"
      update_cache: true
      state: present
    when:
      - base_autoupdate | bool
      - ansible_distribution == "RedHat"
      - ansible_distribution_major_version >= '8'

  - name: "Configure kernel auto update for RedHat Enterprise Linux 8/9"
    ansible.builtin.copy:
      src: etc/dnf/plugins/kpatch.conf
      dest: /etc/dnf/plugins/kpatch.conf
      owner: root
      group: root
      mode: 0644
    when:
      - base_autoupdate | bool
      - ansible_distribution == "RedHat"
      - ansible_distribution_major_version >= '8'

  - name: Enable kernel auto update for RHEL 8/9 linux family
    ansible.builtin.systemd:
      name: kpatch.service
      state: started
      enabled: true
    when:
      - base_autoupdate | bool
      - ansible_distribution == "RedHat"
      - ansible_distribution_major_version >= '8'

#  - name: upgrade all packages
#    ansible.builtin.package:
#      name: "*"
#      update_cache: true
#      state: latest

  - name: Install install_pxe.sh script
    ansible.builtin.copy:
      src: usr/local/sbin/install_pxe.sh
      dest: /usr/local/sbin/install_pxe.sh
      owner: root
      group: root
      mode: 0755

  - name: Enable rngd service
    ansible.builtin.service:
      name: rngd
      state: started
      enabled: true
  - name: Ensure rngd service is started
    ansible.builtin.service:
      name: rngd
      state: started

  - name: Compress logs
    ansible.builtin.replace:
      path: /etc/logrotate.conf
      regexp: '^#compress'
      replace: 'compress'

  - name: TCPWrapper setup
    block:
      - name: Verify if hosts.deny TCP_Wrappers file exists
        ansible.builtin.stat:
          path: "/etc/hosts.deny"
        register: hostsdeny
        check_mode: false
      - name: Verify if hosts.allow TCP_Wrappers file exists
        ansible.builtin.stat:
          path: "/etc/hosts.allow"
        register: hostsallow
        check_mode: false

      - name: Install hosts.deny TCP_Wrappers file
        ansible.builtin.copy:
          src: "hosts.deny"
          dest: "/etc/hosts.deny"
          owner: root
          group: root
          mode: 0644
        when:
          - not hostsdeny.stat.exists
      - name: Install hosts.allow TCP_Wrappers file
        ansible.builtin.copy:
          src: "hosts.allow"
          dest: "/etc/hosts.allow"
          owner: root
          group: root
          mode: 0644
        when:
          - not hostsallow.stat.exists
    when:
      - ansible_os_family == "RedHat"
      - ansible_distribution_major_version < '9'


  - name: Networking
    when:
      - false
    block:
      - name: Install needed network manager libs
        ansible.builtin.package:
          name:
            - NetworkManager-libnm
            - nm-connection-editor
            - libsemanage-python
            - policycoreutils-python
          state: present

      - name: Optionally, at the same time specify IPv6 addresses for the device
        community.general.nmcli:
          conn_name: my-eth1
          ifname: eth1
          type: ethernet
          ip4: 192.0.2.100/24
          gw4: 192.0.2.1
          ip6: 2001:db8::cafe
          gw6: 2001:db8::1
          state: present

      - name: Create a wireguard connection
        community.general.nmcli:
          type: wireguard
          conn_name: my-wg-provider
          ifname: mywg0
          wireguard:
            listen-port: 51820
            private-key: my-private-key
          autoconnect: true
          state: present