---
- name: Install packages
  ansible.builtin.package:
    name: "{{ item }}"
    state: installed
  with_items:
    - ansible
    - ansible-collection-ansible-posix
    - ansible-collection-community-general
    - python3.11-dns        # required for lookup('dig', 'hostname')
    - python3.11-netaddr    # required by iptables role

- name: Create private directory and force permissions
  ansible.builtin.file:
    path: /export/private
    owner: root
    group: root
    mode: "0700"
    state: directory

- name: Link private directory
  ansible.builtin.file:
    src: /export/private
    dest: /srv/private
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: Allow http server to access /srv/ansible
  community.general.sefcontext:
    path: /srv/ansible(/.*)?
    setype: httpd_sys_content_t

- name: Clone ansible repository
  ansible.builtin.git:
    dest: /srv/ansible
    repo: https://git.foo.sh/foo.sh/ansible.git
    update: false
    version: master

- name: Link facts to nginx
  ansible.builtin.file:
    src: "/srv/ansible/facts"
    dest: "/srv/web/{{ inventory_hostname }}/facts"
    owner: root
    group: "{{ ansible_wheel }}"
    state: link
    follow: false

- name: Create nginx conf
  ansible.builtin.copy:
    src: nginx.conf
    dest: /etc/nginx/conf.d/{{ inventory_hostname }}/ansible.conf
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart nginx

- name: Add custom .bashrc for root
  ansible.builtin.copy:
    dest: /root/.bashrc
    src: root-bashrc.sh
    owner: root
    group: "{{ ansible_wheel }}"
    mode: "0600"