---
- import_playbook: "include/deploy-kvm-guest.yml myhosts=zm"

- name: configure instance
  hosts: zm
  user: root
  gather_facts: true

  vars_files:
    - "{{ ansible_private }}/vars.yml"

  pre_tasks:
    - name: mount /export
      mount:
        name: /export
        src: LABEL=/export
        fstype: xfs
        opts: noatime,noexec,nosuid,nodev
        passno: "0"
        dump: "0"
        state: mounted

  roles:
    - base
    - mod_auth_gssapi
    - role: keytab
      keytab: /etc/httpd/httpd.keytab
      principals: HTTP/zm.foo.sh@FOO.SH
      group: apache

  tasks:
    - name: run handlers to get interfaces configured
      meta: flush_handlers

    # TODO: this should really be fixed
    - name: put selinux in permissive state
      selinux:
        policy: targeted
        state: permissive

    - name: copy dns zone files
      copy:
        dest: "/var/lib/unbound/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: restart unbound
      with_items:
        - 26.20.172.in-addr.arpa
        - cam.foo.sh
    - import_role:
        name: unbound

    - include_role:
        name: "{{ item }}"
      with_items:
        - dhcpd
        - zoneminder

    - name: install extra packages for debugging
      package:
        name: rtmpdump
        state: installed

    - name: require authentication for munin web
      copy:
        dest: /etc/httpd/conf.local.d/zoneminder-auth.conf
        content: |
          <Location /zm>
            AuthType        GSSAPI
            GssapiBasicAuth Off
            AuthName        "Password Required"
            Require         valid-user
          </Location>
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      notify: restart apache

    - name: enable ntp server for cam network
      lineinfile:
        path: /etc/chrony.conf
        regexp: "^#?allow .*"
        line: "allow 172.20.26.0/24"