- name: Create Ansible's temporary remote directory
  ansible.builtin.file:
    path: "~/.ansible/tmp"
    state: directory
    mode: "755"

- name: Create system user groups
  ansible.builtin.group:
    name: "{{ item.key }}"
    gid: "{{ item.value.gid }}"
    state: present
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined

- name: Create system users
  ansible.builtin.user:
    name: "{{ item.key }}"
    state: present
    uid: "{{ item.value.uid }}"
    group: "{{ item.value.gid }}"
    groups: "{{ item.value.groups | default([]) }}"
    shell: "{{ item.value.shell | default('/bin/bash') }}"
    create_home: "{{ item.value.home | default(false) }}"
    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
    system: "{{ item.value.system | default(false) }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined

- name: Create Ansible's temporary remote directory for users
  ansible.builtin.file:
    path: "{{ item.value.homedir | default('/home/' + item.key) }}/.ansible/tmp"
    state: directory
    mode: "755"
    owner: "{{ item.key }}"
    group: "{{ item.value.gid }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when:
    - users is defined
    - item.value.ansible_temp | default(false)

- name: Install EPEL repository
  ansible.builtin.dnf:
    name: epel-release
    state: present
    update_cache: true

- name: Install useful software
  ansible.builtin.dnf:
    name: "{{ common_packages }}"
    state: present
    update_cache: true

- name: Assert valid firewalld config
  ansible.builtin.assert:
    that:
      - firewalld is mapping
      - firewalld.type is defined
      - firewalld.type in ['simple', 'complex']
    fail_msg: "firewalld.type must be 'simple' or 'complex'"
  when: firewalld is defined

- name: Install firewalld
  ansible.builtin.dnf:
    name: firewalld
    state: present
  when: firewalld is defined

- name: Start and enable firewalld service
  ansible.builtin.systemd:
    name: firewalld
    state: started
    enabled: true
  when: firewalld is defined

- name: Update SSH rule in firewalld drop zone
  ansible.posix.firewalld:
    zone: drop
    rich_rule: 'rule service name="ssh" accept limit value="10/m"'
    permanent: true
    immediate: true
    state: "{{ 'enabled' if (firewalld.drop_ssh | default(true)) else 'disabled' }}"
  when: firewalld is defined

- name: Set drop as the default zone
  ansible.builtin.command:
    cmd: firewall-cmd --set-default-zone=drop
  register: default_zone_result
  changed_when: "'ZONE_ALREADY_SET' not in default_zone_result.stderr"
  when: firewalld is defined

- name: Install Cockpit
  ansible.builtin.dnf:
    name: cockpit
    state: present

- name: Enable and start Cockpit socket
  ansible.builtin.systemd:
    name: cockpit.socket
    enabled: true
    state: started