---

- name: Import debian-upgrade.yaml if not bookworm
  ansible.builtin.import_tasks:
    file: debian-upgrade.yaml
  when: ansible_facts['distribution_release'] != "bookworm"
  tags: [ debian-upgrade, never ]

- name: Apt config and sources.list
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode | default('0644') }}"
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default('root') }}"
  with_items:
    - { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" }
    - { src: "apt-defaultrelease.j2", dest: "/etc/apt/apt.conf.d/09defaultrelease" }
    - { src: "apt-preferences-stable.j2", dest: "/etc/apt/preferences.d/stableonly" }
    - { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
    - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
    - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
  register: aptconfig
  when:
    - ansible_os_family == "Debian"
  tags:
    - sourceslist

- name: Update authorized_keys
  ansible.builtin.template:
    src: authorized_keys.j2
    dest: /root/.ssh/authorized_keys
    mode: 0600
  when: root_access is defined and root_access
  tags: authorized_keys

- name: Import network tasks
  ansible.builtin.import_tasks:
    file: network.yaml
  tags: network

- name: Import node-exporter
  ansible.builtin.import_tasks:
    file: node-exporter.yaml
  tags: node-exporter

- name: Import vm tasks
  ansible.builtin.import_tasks:
    file: vm.yaml
  tags:
    - vm
    - guestagent

- name: Remove debian-packages we don't want
  ansible.builtin.apt:
    state: absent
    autoremove: true
    pkg: "{{ debian_packages_unwanted|default([]) }}"

- name: Install standard packages
  ansible.builtin.apt:
    cache_valid_time: 3600
    update_cache: "{{ aptconfig.changed | bool | default(false) }}"
    pkg:
      - curl
      - fzf
      - ack
      - etckeeper
      - git
      - htop
      - jq
      - net-tools
      - netcat-openbsd
      - ripgrep
      - rsync
      - tree
      - neovim
      - vim
      - unattended-upgrades
      - apt-listchanges
      - sudo-ldap

- name: Configure FZF for Bash
  ansible.builtin.lineinfile:
    path: /etc/bash.bashrc
    insertafter: EOF
    regexp: "^source /usr/share/doc/fzf/examples/key-bindings.bash"
    line: "source /usr/share/doc/fzf/examples/key-bindings.bash # Managed by Ansible"

- name: Configure FZF for Bash (Bookworm)
  ansible.builtin.lineinfile:
    path: /etc/bash.bashrc
    insertafter: EOF
    regexp: "^source /usr/share/doc/fzf/examples/completion.bash"
    state: absent

- name: Shorten Grub timeout
  ansible.builtin.lineinfile:
    path: /etc/default/grub
    regexp: '^GRUB_TIMEOUT='
    line: "GRUB_TIMEOUT=1 # Managed by Ansible"
  notify: Update grub

- name: Configure cron email
  ansible.builtin.lineinfile:
    path: /etc/crontab
    insertafter: '^PATH'
    line: 'MAILTO={{ notify_email }}'

- name: Configure SSH
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    validate: "/usr/sbin/sshd -t -f %s"
  with_items:
    - regexp: '^#?Port'
      line: 'Port {{ ssh_port }}'
    - regexp: '^#?PasswordAuthentication'
      line: 'PasswordAuthentication no'
    - regexp: '^#?DebianBanner'
      line: 'DebianBanner no'
  when: manage_sshd_config | default(true)
  notify: Reload sshd