---
- name: Verify assertions
  assert:
    that:
      - ansible_distribution == "Debian"
      - ansible_distribution_major_version|int >= 10

- name: Enable the backports repo
  loop:
    - deb
    - deb-src
  apt_repository:
    # yamllint disable-line rule:line-length
    repo: '{{ item }} http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main contrib non-free'
    state: present
    update_cache: true

- name: Set normal priority for the backports repo
  copy:
    content: |
      Package: *
      Pin: release  o=Debian Backports
      Pin-Priority: 500
    dest: /etc/apt/preferences.d/backports
    group: root
    mode: 0o644
    owner: root

- name: Install packages
  apt:
    cache_valid_time: 3600
    name:
      - amd64-microcode
      - btrfs-progs
      - cryptsetup
      - docker.io
      - fwupd
      - intel-microcode
      - libpam-mount-bin
      - python3-cryptography
      - rsync
      - tmux
      - ufw
    state: present

- name: Rate limit SSH
  community.general.ufw:
    rule: limit
    port: ssh
    proto: tcp

- name: Enable UFW
  community.general.ufw:
    default: reject
    state: enabled

- name: Allow unprivileged user namespaces
  ansible.posix.sysctl:
    name: kernel/unprivileged_userns_clone
    state: present
    value: "1"

- name: Allow more inotify watches
  ansible.posix.sysctl:
    name: fs.inotify.max_user_watches
    state: present
    value: "640000"

- name: Secure SSH
  with_dict:
    PermitRootLogin: !!str no
    PasswordAuthentication: !!str no
  lineinfile:
    backup: true
    line: |-
      {{ item.key }} {{ item.value }}
    path: /etc/ssh/sshd_config
    regexp: |-
      {{ item.key }}
    state: present
    validate: sshd -Tf %s

- name: Make /tmp a tmpfs mount
  ansible.posix.mount:
    fstype: tmpfs
    name: /tmp
    src: none
    opts: "defaults,nosuid,nodev"
    state: present

- name: Disable swap
  lineinfile:
    backup: true
    path: /etc/fstab
    regexp: swap
    state: absent

- name: Set UID/GID mapping range
  loop:
    - /etc/subgid
    - /etc/subuid
  copy:
    content: |
      nimrod:100000:65536
    dest: |-
      {{ item }}
    group: root
    mode: 0o0644
    owner: root

- name: Create my www directory
  file:
    group: www-data
    mode: 0o0755
    owner: www-data
    path: /var/www
    state: directory

- name: Create an SSL directory under /var
  file:
    group: root
    mode: 0o0755
    owner: root
    path: /var/ssl
    state: directory

# I know that I can use Ansible modules instead of calling OpenSSL directly, but
# with the command module I can easily skip the task if the private key or the
# certificate already exist. The point is to create an SSL and self-signed
# certificate only as a bootstrap step. Once there is an existing (and assumed
# valid) certificate, don't overwrite it.

- name: Create private SSL key
  command:
    cmd: openssl genrsa -out /var/ssl/site.key 4096
    creates: /var/ssl/site.key

- name: Make sure the private key is accessible
  file:
    mode: 0o0644
    path: /var/ssl/site.key
    state: file

- name: Create SSL certificate
  command:
    cmd: >-
      openssl
      req
      -x509
      -out /var/ssl/site.crt
      -nodes
      -key /var/ssl/site.key
      -batch
    creates: /var/ssl/site.crt

- name: Create Diffie-Hellman Parameters file
  community.crypto.openssl_dhparam:
    force: false
    mode: 0o0644
    path: /var/ssl/dhparams
    size: 4096
    state: present

- name: Copy btrfs copy script
  copy:
    dest: /usr/local/sbin/btrfs-backup
    group: root
    mode: preserve
    owner: root
    src: btrfs-backup