- name: Update the /etc/hosts file with node name
  lineinfile:
    dest: "/etc/hosts"
    regexp: ".*\t{{ hostvars[item]['inventory_hostname']}}"
    line: "{{ hostvars[item]['ansible_host'] }}\t{{ hostvars[item]['inventory_hostname']}}"
    state: present
    backup: yes
  loop: "{{ groups['all'] }}"

- name: disable firewalld
  ansible.builtin.systemd:
    name: "firewalld"
    enabled: no
    masked: no
    state: stopped
  ignore_errors: True #this command is not idempotent it seems

- name: enable nftables
  ansible.builtin.systemd:
    name: "nftables"
    enabled: yes
    state: started
    masked: no

- name: add kernel params
  template:
    src: kernel_params.conf.j2
    dest: /etc/sysctl.d/rke2_kernel_params.conf
  register: kernel_params

- name: load kernel params
  shell: sysctl --system
  when: kernel_params.changed

- name: add group - etcd 
  group:
    name: etcd
    state: present

- name: add user - etcd
  user:
    name: etcd
    group: etcd

- name: remove rocky user at uid 1000
  user:
    name: rocky
    state: absent 
    remove: yes
  ignore_errors: True 

- name: Download root CA
  get_url:
    url: https://curl.se/ca/cacert.pem
    dest: /etc/ssl/certs

- name: Update CA trust
  shell: update-ca-trust


- name: Resize the disks if volume was expanded (experimental)
  shell: |
    /usr/bin/growpart /dev/vda 2 
    /usr/sbin/pvresize -y -q /dev/vda2 
    /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root 

- name: Disable SELinux
  selinux:
    policy: targeted
    state: permissive

- name: Copy SELinux Policies
  template:
    src: ../selinux/my-openstack.te
    dest: /etc/selinux/targeted/policy/my-openstack.te
  when: ( 'control-plane' in group_names )

- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te
    semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
    semodule -i /etc/selinux/targeted/policy/my-openstack.pp
  when: ( 'control-plane' in group_names )

- name: Copy SELinux Policies (kube-apiserver)
  template:
    src: ../selinux/my-kube-apiserver.te
    dest: /etc/selinux/targeted/policy/my-kube-apiserver.te
  when: ( 'control-plane' in group_names )

- name: Build SELinux exception module (kube-apiserver)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-kube-apiserver.mod /etc/selinux/targeted/policy/my-kube-apiserver.te
    semodule_package -o /etc/selinux/targeted/policy/my-kube-apiserver.pp -m /etc/selinux/targeted/policy/my-kube-apiserver.mod
    semodule -i /etc/selinux/targeted/policy/my-kube-apiserver.pp
  when: ( 'control-plane' in group_names )

- name: Copy SELinux Policies (prometheus/node_exporter)
  template:
    src: ../selinux/my-prometheus_master.te
    dest: /etc/selinux/targeted/policy/my-prometheus.te
  when: ( 'control-plane' in group_names )

- name: Copy SELinux Policies (prometheus/node_exporter) on agents
  template:
    src: ../selinux/my-prometheus_agent.te
    dest: /etc/selinux/targeted/policy/my-prometheus.te
  when: ( 'control-plane' not in group_names )


- name: Build SELinux exception module (prometheus/node_exporter)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-prometheus.mod /etc/selinux/targeted/policy/my-prometheus.te
    semodule_package -o /etc/selinux/targeted/policy/my-prometheus.pp -m /etc/selinux/targeted/policy/my-prometheus.mod
    semodule -i /etc/selinux/targeted/policy/my-prometheus.pp

- name: Copy SELinux Policies (hubble) on agents
  template:
    src: ../selinux/my-hubble.te
    dest: /etc/selinux/targeted/policy/my-hubble.te
  when: ( 'control-plane' not in group_names )

- name: Build SELinux exception module (hubble)
  shell: |
    checkmodule -M -m -o /etc/selinux/targeted/policy/my-hubble.mod /etc/selinux/targeted/policy/my-hubble.te
    semodule_package -o /etc/selinux/targeted/policy/my-hubble.pp -m /etc/selinux/targeted/policy/my-hubble.mod
    semodule -i /etc/selinux/targeted/policy/my-hubble.pp
  when: ( 'control-plane' not in group_names )


- name: Ensure /var/lib/rancher/rke2/server/manifests
  file:
    path: /var/lib/rancher/rke2/server/manifests
    state: directory
    recurse: yes

- name: Ensure /etc/rancher/rke2
  file:
    path: /etc/rancher/rke2
    state: directory
    recurse: yes

- name: Enable SELinux
  selinux:
    policy: targeted
    state: enforcing