- name: Set hostname
  hostname:
    name: '{{ inventory_hostname }}'

- name: Set up resolv.conf
  template:
    dest: /etc/resolv.conf
    src: resolv.conf.j2
    mode: 0644

- name: Set up debian repositories
  template:
    dest: /etc/apt/sources.list
    src: sources.list.j2
    mode: 0644
  notify: update package cache
  when: debian_release is defined

- name: Install essential packages
  package:
    name:
      - git
      - ifupdown2
      - nftables
      - rsync
      - vim
      - tmux
    update_cache: yes

- name: Add rules to rename network interfaces
  template:
    dest: /etc/udev/rules.d/10-network.rules
    src: 10-network.rules.j2
    mode: 0644
  notify: reboot

# we don’t want to template this file because it gets overwritten by proxmox
# so just try removing anything that messes with our definitions in interfaces.d
- name: Remove interface definitions added by installer
  lineinfile:
    path: /etc/network/interfaces
    regexp: '^iface [^ ]* inet'
    state: absent
  notify: reload interfaces

- name: Include interfaces.d definitions
  lineinfile:
    path: /etc/network/interfaces
    line: 'source /etc/network/interfaces.d/*'
  notify: reload interfaces

- name: Set up interfaces
  template:
    dest: /etc/network/interfaces.d/ansible.intf
    src: ansible.intf.j2
    mode: 0644
  notify: reload interfaces

- name: Disable SSH password authentication
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?{{ item.key }}'
    line: '{{ item.key }} {{ item.value }}'
  loop:
    - key: PasswordAuthentication
      value: 'no'
    - key: PermitRootLogin
      value: 'prohibit-password'
  notify: reload sshd

- name: Set up generic firewall rules
  copy:
    dest: /etc/nftables.conf
    src: nftables.conf
  notify: reload nftables

- name: Create nftables include directory
  file:
    path: /etc/nftables.d
    state: directory

- name: Set up local firewall rules
  template:
    dest: /etc/nftables.d/services.nft
    src: services.nft.j2
  notify: reload nftables

- name: Enable firewall
  service:
    name: nftables
    enabled: yes
    state: started

- name: Run SSH instance in management VRF
  when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
  block:
    - name: Configure SSH instance in management VRF
      copy:
        dest: /etc/ssh/
        src: sshd_config.mgmt
        mode: 0644
      notify: reboot

    - name: Set up a SSH instance in management VRF
      copy:
        dest: /etc/systemd/system/
        src: sshd@mgmt.service
        mode: 0644
      notify: reboot

    - name: Enable management SSH
      service:
        name: sshd@mgmt
        enabled: yes
      notify: reboot

    - meta: flush_handlers