- name: Install useful software
  ansible.builtin.apt:
    name: "{{ packages }}"
    state: present
    update_cache: true

- name: Install GPG
  ansible.builtin.apt:
    name: gpg
    state: present

- name: Check for existing GPG keys
  ansible.builtin.command: >-
    gpg --list-keys {{ item.id }} 2>/dev/null
  register: gpg_check
  loop: "{{ root_gpgkeys }}"
  failed_when: false
  changed_when: false
  when: root_gpgkeys is defined

- name: Import GPG keys
  ansible.builtin.command: >-
    gpg --keyserver {{ item.item.server | default('keys.openpgp.org') }}
      --recv-key {{ item.item.id }}
  register: gpg_check_import
  loop: "{{ gpg_check.results }}"
  loop_control:
    label: "{{ item.item }}"
  changed_when: false
  when: root_gpgkeys is defined and item.rc != 0

- name: Check GPG key imports
  ansible.builtin.fail:
    msg: "{{ item.stderr }}"
  loop: "{{ gpg_check_import.results }}"
  loop_control:
    label: "{{ item.item.item }}"
  when:
    - root_gpgkeys is defined
    - not item.skipped | default(false)
    - "'imported' not in item.stderr"

- name: Create scripts directories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: "700"
    owner: root
    group: root
  loop:
    - "{{ base_scripts }}"
    - "{{ base_scripts }}/.keys"
  when: scripts is defined

- name: Generate OpenSSH deploy keys for script clones
  community.crypto.openssh_keypair:
    path: "{{ base_scripts }}/.keys/id_ed25519"
    type: ed25519
    comment: "{{ ansible_hostname }}-deploy-key"
    mode: "400"
    state: present
  when: scripts is defined

- name: Check for git installation
  ansible.builtin.apt:
    name: git
    state: present
  when: scripts is defined

- name: Clone external scripts projects
  ansible.builtin.git:
    repo: "{{ item.url }}"
    dest: "{{ base_scripts }}/{{ item.name }}"
    version: "{{ item.version }}"
    accept_newhostkey: "{{ item.accept_newhostkey | default(false) }}"
    gpg_allowlist: >-
      {{ (item.trusted_keys | default(scripts.trusted_keys) | default([]))
        | map(attribute='id')
        | list }}
    verify_commit: >-
      {{ true if
        ((item.trusted_keys | default(scripts.trusted_keys)) is defined
        and (item.trusted_keys | default(scripts.trusted_keys)))
        else false }}
    key_file: "{{ base_scripts }}/.keys/id_ed25519"
  loop: "{{ scripts.repos }}"
  loop_control:
    label: "{{ item.url }}"
  when: scripts is defined
  tags: scripts

- name: Synchronize scripts
  ansible.posix.synchronize:
    src: "{{ base_scripts }}/{{ item.0.name }}/{{ item.1.src }}"
    dest: "{{ item.1.dest }}"
  delegate_to: "{{ inventory_hostname }}"
  loop: "{{ scripts.repos | default([]) | subelements('scripts') }}"
  loop_control:
    label: "{{ item.0.name }}: {{ item.1.src }}"
  when: scripts is defined and scripts | length > 0
  tags: scripts

- name: Install NTPsec
  ansible.builtin.apt:
    name: ntpsec
    state: present

- name: Install locales
  ansible.builtin.apt:
    name: locales
    state: present

- name: Generate locale
  community.general.locale_gen:
    name: "{{ locale_default }}"
    state: present
  notify: reconfigure_locales

- name: Set the default locale
  ansible.builtin.lineinfile:
    path: /etc/default/locale
    regexp: "^LANG="
    line: "LANG={{ locale_default }}"

- name: Manage root authorized_keys
  ansible.builtin.template:
    src: authorized_keys.j2
    dest: /root/.ssh/authorized_keys
    mode: "400"
  when: authorized_keys is defined

- name: Create system user groups
  ansible.builtin.group:
    name: "{{ item.key }}"
    gid: "{{ item.value.gid }}"
    state: present
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined

- name: Create system users
  ansible.builtin.user:
    name: "{{ item.key }}"
    state: present
    uid: "{{ item.value.uid }}"
    group: "{{ item.value.gid }}"
    groups: "{{ item.value.groups | default([]) }}"
    shell: "{{ item.value.shell | default('/bin/bash') }}"
    create_home: "{{ item.value.home | default(false) }}"
    home: "{{ item.value.homedir | default('/home/' + item.key) }}"
    system: "{{ item.value.system | default(false) }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined

- name: Create Ansible's temporary remote directory for users
  ansible.builtin.file:
    path: >-
      {{ item.value.homedir | default('/home/' + item.key) }}/.ansible/tmp
    state: directory
    mode: "700"
    owner: "{{ item.key }}"
    group: "{{ item.value.gid }}"
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when:
    - users is defined
    - item.value.tmp | default(true)

- name: Set authorized_keys for system users
  ansible.posix.authorized_key:
    user: "{{ item.key }}"
    key: "{{ item.value.key }}"
    state: present
  loop: "{{ users | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: users is defined and item.value.key is defined

- name: Manage filesystem mounts
  ansible.posix.mount:
    path: "{{ item.path }}"
    src: "UUID={{ item.uuid }}"
    fstype: "{{ item.fstype }}"
    state: mounted
  loop: "{{ mounts }}"
  when: mounts is defined