---
- name: Setup Atlas
  hosts: atlas

  handlers:
  - name: restart postgres
    systemd:
      name: postgresql
      state: restarted
  - name: enable interfaces
    command:
      cmd: ifup -a
  - name: restart sshd
    systemd:
      name: sshd
      state: restarted

  tasks:
  - name: Update
    apt:
      autoremove: true
      upgrade: yes
      state: latest
      update_cache: yes
      cache_valid_time: 86400
  - name: Install packages
    apt:
      pkg:
        - qemu-kvm
        - libvirt-daemon-system
        - postgresql
        - python3-psycopg2
        - sudo
        - bridge-utils
  - name: Start libvirtd
    systemd:
      name: libvirtd
      enabled: true
      state: started
  - name: Add root to libvirt group
    user:
      name: root
      groups: libvirt
      append: yes
  - name: Disable apparmor
    systemd:
      name: apparmor
      enabled: false
      state: stopped
  - name: Create terraform database
    postgresql_db:
      name: terraform_state
      owner: terraform
    become: true
    become_user: postgres
  - name: Create database user
    postgresql_user:
      name: terraform
    become: true
    become_user: postgres
  - name: Grant database user access to database
    postgresql_privs:
      type: database
      database: terraform_state
      roles: terraform
      grant_option: no
      privs: all
    become: true
    become_user: postgres
    notify: restart postgres
  - name: Allow remote access to database for user
    postgresql_pg_hba:
      dest: /etc/postgresql/15/main/pg_hba.conf
      contype: host
      databases: all
      method: trust
      users: terraform
      address: "10.42.0.0/24"
      create: true
    become: true
    become_user: postgres
    notify: restart postgres
  - name: Open postgres port
    ini_file:
      path: /etc/postgresql/15/main/postgresql.conf
      section: null
      option: listen_addresses
      value: "'*'"
    notify: restart postgres
  - name: Copy interfaces configuration
    copy:
      src: dmz.conf
      dest: /etc/network/interfaces.d/dmz.conf
    notify: enable interfaces
  - name: Add backup user
    user:
      name: lewis
      create_home: false
      password: '!'
      shell: /sbin/nologin
      system: true
  - name: Add backup user principals file
    copy:
      dest: "/etc/ssh/lewis_principals"
      content: "backup"
  - name: Install user CA
    copy:
      dest: "/etc/ssh/user_ca_key.pub"
      content: "{{ user_ca }}"
  - name: Copy ssh config for backup user
    copy:
      src: "sshd.conf"
      dest: "/etc/ssh/sshd_config.d/custom.conf"
    notify: restart sshd
  roles:
    - githubixx.ansible_role_wireguard