---
- name: install prequisites
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - gtk3
    - python3
    - python3-gobject

- name: install thinlinc repository
  ansible.builtin.yum_repository:
    name: thinlinc
    baseurl: "https://mirrors.foo.sh/thinlinc/{{ ansible_architecture }}"
    description: Cendio Thinlinc
    gpgcheck: false
    enabled: true

- name: install packages
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - thinlinc-tladm
    - thinlinc-tlmisc
    - thinlinc-tlmisc-libs
    - thinlinc-tlprinter
    - thinlinc-vnc-server
    - thinlinc-vsm
    - thinlinc-webaccess

- name: run thinlinc setup
  ansible.builtin.script:
    cmd: tl-setup.local.sh
    creates: /var/log/tlsetup.log

- name: disable polkit auth dialogs during login
  ansible.builtin.copy:
    dest: /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules
    src: 40-thinlinc-no-auth-dialogs.rules
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"

- name: use gnome desktop automatically
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/profiles.hconf
    regexp: "^order=.*"
    line: order=gnome

- name: disable introduction message
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/profiles.hconf
    regexp: "^show_intro=.*"
    line: show_intro=false

- name: configure vsmagent hostname
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/vsmagent.hconf
    regexp: "^agent_hostname=.*"
    line: "agent_hostname={{ inventory_hostname }}"
  notify: restart vsmagent

- name: copy private key
  ansible.builtin.copy:
    dest: /opt/thinlinc/etc/tlwebaccess/server.key
    src: "{{ item }}"
    mode: 0600
    owner: root
    group: "{{ ansible_wheel }}"
  with_first_found:
    - "/srv/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"
    - "/srv/ca/certs/hosts/{{ inventory_hostname }}.key"
  tags: certificates
  notify: restart tlwebaccess

- name: copy certificate
  ansible.builtin.copy:
    dest: /opt/thinlinc/etc/tlwebaccess/server.crt
    src: "{{ item }}"
    mode: 0644
    owner: root
    group: "{{ ansible_wheel }}"
    validate: /usr/bin/openssl x509 -in %s -noout
  with_first_found:
    - "/srv/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem"
    - "/srv/ca/private/{{ inventory_hostname }}.crt"
  tags: certificates
  notify: restart tlwebaccess

- name: configure webaccess port
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/webaccess.hconf
    regexp: "^listen_port=.*"
    line: "listen_port=443"
  notify: restart tlwebaccess

- name: configure webaccess url
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/webaccess.hconf
    regexp: "^login_page=.*"
    line: "login_page=https://{{ inventory_hostname }}/"
  notify: restart tlwebaccess

- name: configure webaccess tls settings
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/webaccess.hconf
    regexp: "^gnutls_priority=.*"
    line: "gnutls_priority=SECURE256"
  notify: restart tlwebaccess

- name: start thinlinc services
  ansible.builtin.service:
    name: "{{ item }}"
    state: started
    enabled: true
  with_items:
    - tlwebaccess
    - tlwebadm.service
    - vsmagent
    - vsmserver