- name: Install packages for config updates
  package:
    name: tar

- name: Limit SSH for config updates
  copy:
    dest: /etc/ssh/
    src: sshd_config.friwall
  notify: reload sshd.friwall

- name: Create SSH service for config updates
  file:
    path: /etc/init.d/sshd.friwall
    src: /etc/init.d/sshd
    state: link

- name: Configure SSH service for config updates
  copy:
    dest: /etc/conf.d/sshd.friwall
    content: |
      cfgfile="/etc/ssh/sshd_config.friwall"
      vrf="default"
  notify: restart sshd.friwall

- name: Enable SSH service for config updates
  service:
    name: sshd.friwall
    enabled: yes
    state: started

- name: Install config updater
  copy:
    dest: /usr/local/bin/
    src: update
    mode: 0700

- name: Get master SSH key
  delegate_to: '{{ master }}'
  command: "cat ~friwall/.ssh/id_ed25519.pub"
  register: master_key
  changed_when: false

- name: Deploy master key on node
  authorized_key: "user=root key={{ master_key.stdout }}"

- name: Get my host SSH key
  command: cat /etc/ssh/ssh_host_ed25519_key.pub
  register: node_key
  changed_when: false

- name: Introduce myself to master
  delegate_to: '{{ master }}'
  become: yes
  become_user: friwall
  become_method: su
  become_flags: "-s /bin/sh" # no login shell for user
  known_hosts:
    name: "{{ inventory_hostname }}"
    key: "{{ inventory_hostname }},{{ interfaces | selectattr('name', '==', 'lo') | map(attribute='ip_addresses') | first | selectattr('role') | selectattr('role.value', '==', 'loopback') | map(attribute='address') | ipv4 | first | ipaddr('address') }} {{ node_key.stdout }}" # TODO make IP retrieval less terrifying