# Ansible playbook to install stuff for a standard install with v-i.
# You should inspect the user_* variables at the end, and override
# them with "ansible_vars" in the system spec file. v-i sets the
# hostname variable automatically.

- hosts: image
  tasks:
    - name: "set /etc/hostname"
      copy:
        content: |
          {{ hostname }}
        dest: /etc/hostname

    - name: "lock root password"
      shell: |
        passwd -l root
      when: passwordless_root is not defined or not passwordless_root

    - name: "remove root password"
      shell: |
        sed -i '/^root:[^:]*:/s//root::/' /etc/passwd
      when: passwordless_root

    - name: "create ~root/.ssh"
      when: user_pub is defined
      file:
        state: directory
        path: /root/.ssh
        owner: root
        group: root
        mode: 0700

    - name: "set ~root/.ssh/authorized keys"
      when: user_pub is defined
      copy:
        content: |
          {{ user_pub }}
        dest: /root/.ssh/authorized_keys
        owner: root
        group: root
        mode: 0600

    - name: "install user CA public key"
      when: user_ca_pubkey is defined
      copy:
        content: |
          {{ user_ca_pubkey }}
        dest: /etc/ssh/user_ca_pubs

    - name: "restrict root logins over ssh to require a key"
      lineinfile:
        path: /etc/ssh/sshd_config
        regex: "#* *PasswordAuthentication"
        line: "PasswordAuthentication no"

    - name: "configure sshd to accept CA for users"
      when: user_ca_pubkey is defined
      copy:
        content: |
          TrustedUserCAKeys /etc/ssh/user_ca_pubs
        dest: /etc/ssh/sshd_config.d/user_ca.conf

    - name: "install host key"
      when: host_key is defined
      copy:
        content: |
          {{ host_key }}
        dest: /etc/ssh/ssh_host_key
        mode: 0600

    - name: "install host cert"
      when: host_cert is defined
      copy:
        content: |
          {{ host_cert }}
        dest: /etc/ssh/ssh_host_key-cert.pub
        mode: 0644

    - name: "configue sshd to use host cert"
      when: host_cert is defined
      copy:
        content: |
          HostKey /etc/ssh/ssh_host_key
          HostCertificate /etc/ssh/ssh_host_key-cert.pub
        dest: /etc/ssh/sshd_config.d/host_cert.conf

    - name: "configure keyboard layout"
      copy:
        content: |
          XKBMODEL="{{ user_keyboard_model }}"
          XKBLAYOUT="{{ user_keyboard_layout }}"
          XKBVARIANT=""
          XKBOPTIONS=""
          BACKSPACE="guess"
        dest: /etc/default/keyboard

    - name: "configure console"
      copy:
        content: |
          ACTIVE_CONSOLES="/dev/tty[1-6]"
          CHARMAP="UTF-8"
          CODESET="{{ user_console_codeset }}"
          FONTFACE="Fixed"
          FONTSIZE="8x16"
          VIDEOMODE=
        dest: /etc/default/console-setup

    - name: "set default locales for all users"
      copy:
        content: |
          {{ user_locale }}
        dest: /etc/profile.d/locale.sh

    - name: "remove ifupdown"
      apt:
        name: ifupdown
        state: absent

    - name: "enable the non-free-firmware component"
      when: debian_release != "bullseye"
      apt_repository:
        repo: "deb http://deb.debian.org/debian {{ debian_release }} non-free-firmware"
        state: present
        update_cache: yes

    - name: "enable the non-free component"
      when: debian_release == "bullseye"
      apt_repository:
        repo: "deb http://deb.debian.org/debian {{ debian_release }} non-free"
        state: present
        update_cache: yes

    - name: "install iwd and firmware for wifi"
      apt:
        name:
          - firmware-brcm80211
          - firmware-iwlwifi
          - firmware-libertas
          - firmware-misc-nonfree
          - firmware-realtek
          - firmware-ti-connectivity
          - iwd

    - name: "enable iwd"
      systemd:
        name: iwd
        enabled: yes

    - name: "configure networkd for Ethernet"
      copy:
        content: |
          [Match]
          Name=eth0

          [Network]
          DHCP=yes
        dest: /etc/systemd/network/external.network

    - name: "configure networkd for wireless"
      copy:
        content: |
          [Match]
          Name=wlan*

          [Network]
          DHCP=yes
        dest: /etc/systemd/network/wireless.network

    - name: "copy wireless credentials from host to target"
      copy:
        src: /var/lib/iwd/
        dest: /var/lib/iwd/

    - name: "enable networkd"
      systemd:
        name: systemd-networkd
        enabled: yes

    - name: "install resolved"
      apt:
        name:
          - systemd-resolved

    - name: "enable resolved"
      systemd:
        name: systemd-resolved
        enabled: yes

    # Allow lookup of domain-less names, when the DHCP server doesn't
    # set a domain for the LAN. See
    # https://wiki.archlinux.org/title/Systemd-resolved#systemd-resolved_does_not_resolve_hostnames_without_suffix
    - name: "tweak resolved.conf for domain-less DNS lookup"
      lineinfile:
        path: /etc/systemd/resolved.conf
        regexp: ResolveUnicastSingleLabel=
        line: ResolveUnicastSingleLabel=yes


  vars:
    ansible_python_interpreter: /usr/bin/python3

    user_locale: |
      export LC_CTYPE=C.UTF8

    # You may want to override these to get a non-US keyboard layout.
    user_keyboard_model: pc105
    user_keyboard_layout: us
    user_console_codeset: Lat15

    passwordless_root: false