- hosts: localhost
  ignore_errors: true
  vars:
    # Packages to install
    packages:
      # System
      - linux-headers-amd64
      - build-essential
      - ssh
      - mount
      - vim
      - neofetch
      - htop
      - doas
      - systemd-resolved

      # File Server 
        # - zfsutils-linux
        # - samba

      # USB Key
        # - exfat-fuse
        # - exfat-utils
      - exfatprogs

      # Docker
      - ca-certificates
      - curl
      - gnupg

      # TLS Certificates for Docker containers
      - certbot

      # VPN Client to Proxy server
      # Now handled in the docker containers themselves via gluetun however wireguard tools still used for generating keys
      # - wireguard
      - wireguard-tools

      # Firewall
      - iptables-persistent
    available_servicedirs: []
  tasks:
    - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"
    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
      become: yes
      replace:
        path: /etc/doas.conf
        regexp: 'persist'
        replace: 'nopass'

    # Environment Variables config
    - name: Configure environment variables
      become: yes
      lineinfile:
        path: "/etc/environment"
        state: present
        regexp: "^{{ item.key }}="
        line: "{{ item.key }}={{ item.value}}"
      loop:
        - { key: "ANSIBLE_CONFIG", value: "{{ ansibleconf_directory }}/ansible.cfg" }

    # System Setup
    - name: Ensure .bashrc is updated
      template:
        src: home_resources/.bashrc
        dest: "~/.bashrc"
    - name: Add contrib
      become: yes
      replace:
        dest: /etc/apt/sources.list
        regexp: '^(deb(?!.* contrib).*)'
        replace: '\1 contrib'

    # Custom Helper Scripts
    - name: Create the local bin dir if it does not exist
      ansible.builtin.file:
        path: "~/.local/bin"
        state: directory
        mode: '0755'
    - name: Ensure custom scripts are added to local bin dir
      template:
        src: "home_resources/.local/bin/{{ item }}"
        dest: "~/.local/bin/{{ item }}"
        mode: '0777'
      loop:
        - spark_ansible-playbook.sh
        - spark_ansible-editvault.sh
        - spark_ansible-viewvault.sh

   # Package Config
    - name: Ensure list of packages is installed
      become: yes
      apt:
        name: '{{ packages }}'
        state: present
        update_cache: true

    - name: Enable Systemd Resolved for DNS queries
      become: yes
      ansible.builtin.systemd:
        name: systemd-resolved
        enabled: yes
        state: started

    # DNS Config
    - name: Ensure Systemd Resolved DNS configuration is updated
      become: yes
      template:
        src: root_resources/etc/resolv.conf
        dest: "/etc/resolv.conf"

    - name: Ensure USB key mountpoint exists
      become: yes
      ansible.builtin.file:
        path: "{{ usbkey_mountdir }}"
        state: directory
    # FStab Config
    - name: Mount up USB key by UUID
      become: yes
      ansible.posix.mount:
        path: '{{ usbkey_mountdir }}'
        src: UUID={{ usbkey_uuid }}
        fstype: exfat
        opts: nofail,dmask=0000,fmask=0111,gid=1000,uid=1000
        state: present

    # SSH Server Setup
    - name: Enable SSH
      become: yes
      ansible.builtin.systemd:
        name: ssh
        enabled: yes
        state: started
    - name: Ensure ssh configuration directory exists
      ansible.builtin.file:
        path: "~/.ssh"
        state: directory
        owner: "{{ admin_user_name }}"
        group: "{{ admin_user_name }}"
        mode: '1700'
    - name: Ensure local ssh configuration is updated
      template:
        src: home_resources/.ssh/config
        dest: "~/.ssh/config"
    - name: Ensure sshd configuration is updated
      become: yes
      template:
        src: root_resources/etc/ssh/sshd_config
        dest: "/etc/ssh/sshd_config"

   # Wireguard VPN Client Setup
    # Now handled in the docker containers themselves via gluetun
    #    - name: Ensure wireguard client configuration is updated
    #      template:
    #        src: root_resources/etc/wireguard/wg0.conf
    #        dest: "/etc/wireguard/wg0.conf"
    #    - name: Ensure wireguard can find resolvconf on SystemD init systems # (This is for SystemD init systems, on systemd systems resolvectl is used instead)
    #      ansible.builtin.file:
    #        src: /usr/bin/resolvectl
    #        dest: "/usr/local/bin/resolvconf"
    #        state: link
    #    - name: Enable wireguard client
    #      ansible.builtin.systemd:
    #        name: wg-quick@wg0
    #        enabled: yes
    #        state: started

    # Docker Setup
    - name: Add Docker GPG apt Key
      become: yes
      apt_key:
        url: https://download.docker.com/linux/debian/gpg
        state: present
    - name: Add Docker Repository
      become: yes
      apt_repository:
        repo: deb https://download.docker.com/linux/debian bullseye stable
        state: present
    - name: Install docker packages
      become: yes
      apt:
        pkg:
          - docker-ce
          - docker-ce-cli 
          - containerd.io 
          - docker-buildx-plugin
          - docker-compose-plugin
        state: present
        update_cache: true

    # Each respective service will have a user associated to it to ensure it'll be able to only edit the files in their folder in the service directory
    # Services Configuration - Groups
    - name: "Create admin user {{ admin_user_name }}"
      become: yes
      ansible.builtin.user:
        name: "{{ admin_user_name }}"
        state: present
        groups: wheel,docker
        append: yes

    - name : Find all service directories available in ansible configuration
      find:
        paths: "{{ ansibleconf_directory }}/services"
        file_type: directory
        use_regex: yes
        patterns: ['service_']
        recurse: no
      register: findoutput

    - name: Add found ansible configuration service directories to service directories variable
      #no_log: true
      set_fact:
        available_servicedirs: "{{ available_servicedirs + [item.path | split('/') | last]}}"
      with_items: "{{ findoutput.files }}"

    - name: Automatically create service users based on found ansible conf service directories
      become: yes
      ansible.builtin.user:
        name: "{{ item }}"
        state: present
        shell: /bin/bash
        groups: docker
        append: yes
      loop: "{{ available_servicedirs }}"

    # Services Configuration - Permissions
    # Services
    - name: Ensure service directory exists 
      become: yes
      ansible.builtin.file:
        path: "{{ services_directory }}"
        state: directory
        owner: root
        group: root
        mode: '1755'

    - name: Automatically create all services directory based on found ansible conf service directories
      become: yes
      ansible.builtin.file:
        path: "{{ services_directory }}/{{ item }}"
        state: directory
        owner: "{{ item }}"
        group: "{{ item }}"
        mode: '1700'
      loop: "{{ available_servicedirs }}"

    - name: Ensure service users upon login start in their respective service directory
      become: yes
      ansible.builtin.lineinfile:
        path: "/home/{{ item }}/.profile"
        line: "cd {{ services_directory }}/{{ item }}"
      loop: "{{ available_servicedirs }}"

    - name: Reset doas configuration back to default
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"

    # End
    - name: Debug Finish message
      debug:
        msg: Ansible playbook has finished!