---
## Checks/deploys a Linux system to be managed with Ansible.

- hosts: all
  gather_facts: yes
  become: yes

  tasks:

    # Gather system groups
    - name: Gather all system groups
      ansible.builtin.getent:
        database: group
        split: ':'

    # Check for package managers
    - name: Check for APT installation
      stat:
        path: /etc/apt
      register: aptfolder

    # Add sudo package
    - name: Install sudo if not already installed.
      # Looking at you LXCs. >.>
      ansible.builtin.package:
        name:
          - sudo
        state: present

    # APT Cacher-NG Configuration
    - name: Add APT-Cacher-NG Configuration
      copy:
        content: "{{ aptcacher_config }}"
        dest: /etc/apt/apt.conf.d/proxy
      when: aptfolder.stat.exists

    - name: Remove redundant APT configuration
      file:
        path: /etc/apt/apt.conf
        state: absent
      when: aptfolder.stat.exists

    # Update apt package lists after adding our proxy
    - name: Update apt repo package lists from cacher
      apt: update_cache=yes force_apt_get=yes cache_valid_time=3600
      when: aptfolder.stat.exists
    
    # User account (ansible) configuration
    - name: Add deployment user.
      user:
        name: ansible
        state: present
    - name: Add deployment user to wheel group.
      user:
        name: ansible
        groups: wheel
        append: yes
      when: wheel in ansible_facts.getent_group

    # Ansible user SSH pub key
    # This is a really stupid way to do it, but alas.
    # This uses an environment variable named ansiblesvc_key in Semaphore which has the ssh-rsa pubkey.
    - name: Create ssh directory for deployment user.
      file:
        path: /home/ansible/.ssh
        state: directory
    - name: Add deployment user's SSH key.
      copy:
        content: "{{ ansiblesvc_key }}"
        dest: /home/ansible/.ssh/authorized_keys
      # shell:
        # cmd: echo "{{ ansiblesvc_key }}" > /home/ansible/.ssh/authorized_keys
        # creates: /home/ansible/.ssh/authorized_keys

    # Add required packages because Debian is lame
    - name: Install standard packages if not already installed.
      # Looking at you LXCs. >.>
      ansible.builtin.package:
        name:
          - curl
          - net-tools
          - wget
        state: present
        
    # Give ansible sudo rights with no password required.
    - name: Add sudo rights with no password for deployment user.
      lineinfile:
        dest: /etc/sudoers
        regexp: '^ansible'
        line: 'ansible ALL=(ALL) NOPASSWD: ALL'
        state: present
        validate: 'visudo -cf %s'

    # # Configure firewalld (if installed) to be disabled (especially if an internal server.) Firewall rules are managed by UniFi.
    # - name: Stop and disable firewalld.
    #   service:
    #    name: firewalld
    #    state: stopped
    #    enabled: false
    #   when: "'firewalld' in services"

    # User account (nhadmin) configuration, for sysadmin use
    - name: Create user nhadmin.
      user:
        name: nhadmin
        state: present
        password: "{{ nhadmin_password | password_hash('sha512') }}"
        shell: /bin/bash

    - name: Add nhadmin to wheel group.
      user:
        name: nhadmin
        groups: wheel
        append: yes
      when: wheel in ansible_facts.getent_group

    - name: Add nhadmin to sudo group.
      user:
        name: nhadmin
        groups: sudo
        append: yes
      when: wheel in ansible_facts.getent_group

    - name: Add nhadmin to systemd-journal group.
      user:
        name: nhadmin
        groups: systemd-journal
        append: yes
      when: wheel in ansible_facts.getent_group

      
    # Sysadmin user SSH pub key
    # This is a really stupid way to do it, but alas.
    # This uses an environment variable named nhadmin_key in Semaphore which has the ssh-rsa pubkey.
    - name: Create ssh directory for nhadmin.
      file:
        path: /home/nhadmin/.ssh
        state: directory
    - name: Add nhadmin user's SSH key.
      copy:
        content: "{{ nhadmin_key }}"
        dest: /home/nhadmin/.ssh/authorized_keys
      # shell:
        # cmd: echo "{{ nhadmin_key }}" > /home/nhadmin/.ssh/authorized_keys
        # creates: /home/nhadmin/.ssh/authorized_keys

    # SSH config updating
    - name: Update SSH configuration to disallow root login and disable password authentication.
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
        validate: 'sshd -t -f %s'
      with_items:
        - regexp: "^PermitRootLogin"
          line: "PermitRootLogin no"
        - regexp: "^PasswordAuthentication"
          line: "PasswordAuthentication no"
        - regexp: "^PubkeyAuthentication"
          line: "PubkeyAuthentication yes"
    - name: Restart SSH service.
      service:
        name: sshd
        state: restarted

    # Delete our network ansible key from the root user.
    - name: Delete our network ansible key (and other keys) from the root user.
      file:
        path: /root/.ssh/authorized_keys
        state: absent

    # Upgrade all apt packages for good measure.
    - name: Upgrade all apt packages
      apt: upgrade=dist force_apt_get=yes
      when: aptfolder.stat.exists