- hosts: finntroll.liw.fi
  remote_user: root
  roles:
    - sshd
    - sane_debian_system
    - self-updating-system
    - comfortable-debian-system
    - unix_users
    - rust-rustup
    - radicle_node
  tasks:
    - name: "install additional packages"
      apt:
        name:
          - jq
          - moreutils
          - nmap
          - psmisc
          - ripgrep
          - sqlite3
          - wumpus-hunter

    - name: "create directory for wumpus files"
      file:
        state: directory
        path: /srv/wumpus
        owner: wumpus
        group: wumpus

    - name: "create directory for temporary wumpus files"
      file:
        state: directory
        path: /srv/tmp
        owner: wumpus
        group: wumpus

    - name: "install wumpus hunter config"
      copy:
        content: |
          description: |
             Results of running the Radicle heartwood tests
             repeatedly. Report number of successful and fail test
             runs per commit. Keep logs of each test run for each
             commit.
          repository_url: https://seed.radicle.xyz/z3gqcJUoA1n9HaHKufZs5FCSGazv5.git
          git_ref: master
          command: |
            cargo test --locked --workspace
        dest: /home/wumpus/wumpus.yaml
        owner: wumpus
        group: wumpus

    - name: "install service unit for wumpus hunter"
      copy:
        content: |
          [Unit]
          Description=Wumpus hunter
          After=network.target network-online.target
          Requires=network-online.target

          [Service]
          User=wumpus
          Group=wumpus
          ExecStart=/usr/bin/wumpus-hunter run --logs /srv/wumpus /home/wumpus/wumpus.yaml
          Environment=RUST_BACKTRACE=1 WUMPUS_LOG=info PATH=/home/wumpus/.cargo/bin:/bin:/sbin TMPDIR=/srv/tmp
          KillMode=process
          Restart=always
          RestartSec=3

          [Install]
          WantedBy=multi-user.target
        dest: /etc/systemd/system/wumpus-hunter.service

    - name: "(re)start systemd unit for Radicle node"
      systemd:
        name: wumpus-hunter
        state: restarted
        masked: no
        enabled: yes
        daemon_reload: yes

  vars:
    ansible_python_interpreter: /usr/bin/python3

    sane_debian_system_version: 2
    sane_debian_system_hostname: finntroll
    sane_debian_system_codename: bookworm
    sane_debian_system_timezone: Europe/Helsinki
    sane_debian_system_sources_lists:
      - repo: |
          deb http://security.debian.org/debian-security bookworm-security main contrib non-free
      - repo: deb http://apt.liw.fi/debian unstable main
        signing_key: "{{ apt_liw_fi_signing_key }}"

    unix_users_version: 2
    unix_users:
      - username: liw
        comment: Lars Wirzenius
      - username: _rad
        comment: Radicle node
      - username: wumpus
        comment: Wumpus hunter

    sshd_version: 1
    sshd_host_key: "{{ lookup('pipe', 'sshca host private-key finntroll.liw.fi') }}"
    sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 finntroll.liw.fi') }}"
    sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}"

    radicle_node_version: 1
    radicle_node_key: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key') }}"
    radicle_node_key_pub: "{{ lookup('pipe', 'pass radicle/radicle.liw.fi/key.pub') }}"
    # radicle_node_connections:
    #   - nid: z6MkhfTshN2uPFBGcxBsZW7Mbof1TgkphBqr5dFTWd1hbNUq
    #     host: seed.liw.fi
    #     port: 8776
    radicle_node_repositories:
      # Radicle work
      - rid: "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5"        # heartwood
      - rid: "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs"         # pathdedup test repo
      - rid: "rad:zwTxygwuz5LDGBq255RA2CbNGrz8"         # radicle-ci-broker
      - rid: "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE"        # radicle-native-ci
      - rid: "rad:z2HXqzZMRhZUiYm33pLgYfqBgcGCj"        # radicle-stress-test
      - rid: "rad:zd4kAF7rQFKbCHAdbcF6zVkx8MyN"         # wumpus hunter

      # Personal, Subplot
      - rid: "rad:zjxyd2A1A7FnxtC69qDfoAajfTHo"         # subplot
      - rid: "rad:z2M6WnwXyFcdQNj6M5pav3BnyTBfz"        # subplot-web

      # Personal, Obnam
      - rid: "rad:zhmWact4xuWp1XSwPER79oPUGW9S"         # cachedir
      - rid: "rad:z2iicxsVP46kyA7rzFXrQHrk88cAo"        # obnam2
      - rid: "rad:z2aq8B4ui77q8msEtUaGYXeSwNYuc"        # obnam-web
      - rid: "rad:z3ZFpLzEYTmjzDqSTxf2bZchktBH1"        # obnam-benchmark
      - rid: "rad:z2bB6gdePNQ9jyMK487mu4CraYewX"        # obnam-benchmark-results
      - rid: "rad:z3NGfAXUfSehZbf8f6VGad9KHCrb5"        # obnam-benchmark-specs
      - rid: "rad:z3cL5uBuhFK5FWkc5RYecAoBXNz8d"        # summain

      # Personal, other
      - rid: "rad:z4AmsrmyEsdZWh9KLSRbReDM9nnbe"        # 256.liw.fi
      - rid: "rad:z3sckw1Xm8j5URDJz1zeESHfFYDEc"        # ansibleness
      - rid: "rad:z2aW1bujxH96GsWdKBcFqDpzSNnUS"        # clab
      - rid: "rad:z3LXXus6Wu93LuSuuuSBPcFkDiyCW"        # debian-ansible
      - rid: "rad:z355dPnbvpPxC3FoT38pjs9AzspQB"        # early-linux-history-talk
      - rid: "rad:z3pQaQ5fBe9CZY9g9vzXLWPEnwXVB"        # extrautils
      - rid: "rad:zN4j1nt4y1xtoz9Tat6asyfJDyc2"         # gtdfh
      - rid: "rad:z2i9UF8soK1X6L9hae8UcQPSvdHjW"        # html-page
      - rid: "rad:z2wZYvawkpUTnfrCL5iHaufpCdXyk"        # jt
      - rid: "rad:zUcMk9QpMdyty6tABQ6Cje21xAro"         # liw-automation
      - rid: "rad:z4Az1APNZyfFVkTzneyfq6SBPKqtV"        # linux-news
      - rid: "rad:z2xcsrnG8dC76bkxXsASZbWGH5N2w"        # liw-dot-files
      - rid: "rad:z3PKKNstRjLYqhvGq9rxGy7LoEVr5"        # missing-dependencies
      - rid: "rad:z2tnM99uips8nguhcg12hLX5yC3t7"        # pandoc-filter-diagram
      - rid: "rad:z3uBEubocQ9kJANPvMAo6z5ZhhaFh"        # pathdedup (real)
      - rid: "rad:zRGTo2HYeSsNojTQg93anVtn5Gcw"         # puomi
      - rid: "rad:z3GDoHhm4t58pciEoXZBPA76Qtzqz"        # puomi-web
      - rid: "rad:zw9BgStPgCkdsMspzs7EGbwnXq3r"         # riki
      - rid: "rad:z2oUkTnZgqvEER9WZdZLU19rqv7rX"        # riki-web
      - rid: "rad:z4PiGKYWcz3XPzLf91DAgSHxjNvg8"        # roadmap
      - rid: "rad:z24MZ7A64C7c9MmcNfR2X7GtQUk14"        # sshca
      - rid: "rad:z2S7Wn8ZWBKQUQkUNikpZiuFFJZDv"        # sshca-web
      - rid: "rad:zgYpM7b29D6wTMjEUxxzBjcF9EvK"         # unpack-debian-sources
      - rid: "rad:z37yxMDoGWhErwFt55n4jDCiQwxLm"        # v-i
      - rid: "rad:z4DNcHPHUoCytkihDY4vDp4KvGxh3"        # v-i-web
      - rid: "rad:z3U5PDwEqz64be8vfqEyyj2rkfd1s"        # vmadm
      - rid: "rad:z2qboj3zYdhQBKo8yGxMfwvhj7HfN"        # vmadm-web
      - rid: "rad:z2kxCtBwDQMPcaf9vGTNH5nYkp9qk"        # vmdb2
      - rid: "rad:z2mn6wzpVAuJoeWx7TZo33nCHuDfQ"        # vmdb2-web
    radicle_node_domain_name: radicle.liw.fi
    radicle_node_ci_domain_name: ci.radicle.liw.fi
    radicle_node_ci_broker_config: |
      db: /home/_rad/ci-broker.db
      report_dir: /srv/http
      default_adapter: native
      adapters:
        native:
          command: /bin/radicle-native-ci
          env:
            RADICLE_NATIVE_CI: /home/_rad/native-ci.yaml
          sensitive_env: {}
      filters:
        - !Or
          - !And
            - !Repository "rad:zZnk3hS8C3WAhnv7mWcCUToCqpBs" # pathdeup-messy-test-repo
            - !AnyPatch
          - !And
            - !Repository "rad:z3gqcJUoA1n9HaHKufZs5FCSGazv5" # heartwood
            - !AnyPatch
          - !And
            - !Repository "rad:zwTxygwuz5LDGBq255RA2CbNGrz8" # radicle-ci-broker
            - !Or
              - !Branch main
              - !AnyPatch
          - !And
            - !Repository "rad:z3qg5TKmN83afz2fj9z3fQjU8vaYE" # radicle-native-ci
            - !Or
              - !Branch main
              - !AnyPatch
    radicle_node_policy: block
    radicle_node_scope: all

    radicle_node_wumpus_domain_name: wumpus.liw.fi

    # radicle_node_backup: /home/liw/data/radicle.liw.fi/.

    rust_rustup_user: _rad