---
- name: Install prequisites
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - gtk3
    - librsvg2
    - polkit
    - python3
    - python3-gobject

- name: Install ThinLinc repository
  ansible.builtin.yum_repository:
    name: thinlinc
    baseurl: "https://mirrors.foo.sh/thinlinc/{{ ansible_architecture }}"
    description: Cendio ThinLinc
    gpgcheck: false
    enabled: true

- name: Install packages
  ansible.builtin.package:
    name: "thinlinc-server"
    state: installed

- name: Run ThinLinc setup
  ansible.builtin.script:
    cmd: tl-setup.local.sh
    creates: /var/log/tlsetup.log

- name: Disable polkit auth dialogs during login
  ansible.builtin.copy:
    dest: /etc/polkit-1/rules.d/40-thinlinc-no-auth-dialogs.rules
    src: 40-thinlinc-no-auth-dialogs.rules
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Use GNOME desktop automatically
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/profiles.hconf
    regexp: "^order=.*"
    line: order=gnome

- name: Disable introduction message
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/profiles.hconf
    regexp: "^show_intro=.*"
    line: show_intro=false

- name: Copy private key
  ansible.builtin.copy:
    dest: /opt/thinlinc/etc/tlwebaccess/server.key
    src: "{{ item }}"
    mode: "0600"
    owner: root
    group: "{{ ansible_wheel }}"
  with_first_found:
    - "/srv/letsencrypt/live/{{ inventory_hostname }}/privkey.pem"
    - "/srv/ca/certs/hosts/{{ inventory_hostname }}.key"
  tags: certificates
  notify: Restart tlwebaccess

- name: Copy certificate
  ansible.builtin.copy:
    dest: /opt/thinlinc/etc/tlwebaccess/server.crt
    src: "{{ item }}"
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
    validate: /usr/bin/openssl x509 -in %s -noout
  with_first_found:
    - "/srv/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem"
    - "/srv/ca/private/{{ inventory_hostname }}.crt"
  tags: certificates
  notify: Restart tlwebaccess

- name: Configure webaccess port
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/webaccess.hconf
    regexp: "^listen_port=.*"
    line: "listen_port=443"
  notify: Restart tlwebaccess

- name: Configure webaccess url
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/webaccess.hconf
    regexp: "^login_page=.*"
    line: "login_page=https://{{ inventory_hostname }}/"
  notify: Restart tlwebaccess

- name: Configure webaccess tls settings
  ansible.builtin.lineinfile:
    path: /opt/thinlinc/etc/conf.d/webaccess.hconf
    regexp: "^gnutls_priority=.*"
    line: "gnutls_priority=SECURE256"
  notify: Restart tlwebaccess

- name: Enable services
  ansible.builtin.service:
    name: "{{ item }}"
    state: started
    enabled: true
  with_items:
    - tlwebaccess
    - tlwebadm.service
    - vsmagent
    - vsmserver