---
- name: install ansible packages
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - ansible
    - ansible-collection-ansible-posix
    - ansible-collection-community-general
    - python3-dns       # required for lookup('dig', 'hostname')
    - python38-netaddr   # required by iptables role

- name: create private directory and force permissions
  ansible.builtin.file:
    path: /export/private
    owner: root
    group: root
    mode: 0700
    state: directory

- name: link private directory
  ansible.builtin.file:
    src: "/export/private"
    dest: "/srv/private"
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: allow http server to access /srv/ansible
  community.general.sefcontext:
    path: /srv/ansible(/.*)?
    setype: httpd_sys_content_t
- name: clone ansible repository
  ansible.builtin.git:
    dest: /srv/ansible
    repo: https://git.foo.sh/ansible.git
    update: false

- name: link facts to nginx
  ansible.builtin.file:
    src: "/srv/ansible/facts"
    dest: "/srv/web/{{ inventory_hostname }}/facts"
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: create nginx conf
  ansible.builtin.copy:
    src: nginx.conf
    dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
  notify: restart nginx

- name: add custom .bashrc for root
  ansible.builtin.copy:
    dest: /root/.bashrc
    src: root-bashrc.sh
    owner: root
    group: "{{ ansible_wheel }}"
    mode: 0600