- block:
    - name: Determine if this is a Proxmox host
      stat:
        path: /etc/pve
      register: stat_pve
    - set_fact:
        is_proxmox: "{{ stat_pve.stat.exists and stat_pve.stat.isdir }}"

- name: Configure MOTD
  template:
    dest: /etc/motd
    src: motd.j2

- name: Add rules to rename network interfaces
  template:
    dest: "/etc/systemd/network/10-{{ item.name }}.link"
    src: interface.link.j2
    mode: "0644"
  loop: "{{ interfaces | selectattr('mac_address') }}"
  loop_control:
    label: "{{ item.name }}"
  notify: reboot

- name: Set hostname
  hostname:
    name: '{{ inventory_hostname }}'

- name: Set up debian repositories
  template:
    dest: /etc/apt/sources.list
    src: sources.list.j2
    mode: 0644
  notify: update package cache
  when: debian_release is defined

- name: Install essential packages
  package:
    name:
      - git
      - ifupdown2
      - rsync
      - vim
      - tmux
    update_cache: yes

# we don’t want to template this file because it gets overwritten by proxmox
# so just try removing anything that messes with our definitions in interfaces.d
- name: Remove interface definitions added by installer
  lineinfile:
    path: /etc/network/interfaces
    regexp: '^iface [^ ]* inet'
    state: absent
  notify: reload interfaces

- name: Include interfaces.d definitions
  lineinfile:
    path: /etc/network/interfaces
    line: 'source /etc/network/interfaces.d/*'
  notify: reload interfaces

- name: Set up interfaces
  template:
    dest: /etc/network/interfaces.d/ansible.intf
    src: ansible.intf.j2
    mode: 0644
  notify: reload interfaces

- name: Set up resolv.conf
  template:
    dest: /etc/resolv.conf
    src: resolv.conf.j2
    mode: 0644

- name: Disable SSH password authentication
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?{{ item.key }}'
    line: '{{ item.key }} {{ item.value }}'
  loop:
    - key: PasswordAuthentication
      value: 'no'
    - key: PermitRootLogin
      value: 'prohibit-password'
  notify: reload sshd

- name: Set up firewall
  include_tasks: firewall.yml
  when: not is_proxmox # proxmox has its own firewall configuration

- name: Install automatic upgrade package
  package:
    name: unattended-upgrades

- name: Configure automatic upgrades
  lineinfile:
    path: /etc/apt/apt.conf.d/20auto-upgrades
    create: yes
    line: '{{ item }}'
  loop:
    - 'APT::Periodic::Update-Package-Lists "1";'
    - 'APT::Periodic::Unattended-Upgrade "1";'

- name: Run SSH instance in management VRF
  when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
  block:
    - name: Configure SSH instance in management VRF
      copy:
        dest: /etc/ssh/
        src: sshd_config.mgmt
        mode: 0644
      notify: reboot

    - name: Set up a SSH instance in management VRF
      copy:
        dest: /etc/systemd/system/
        src: sshd@mgmt.service
        mode: 0644
      notify: reboot

    - name: Enable management SSH
      service:
        name: sshd@mgmt
        enabled: yes
      notify: reboot

    - meta: flush_handlers