---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: 'Post-install'
### ⇐ UPSTREAM BEGIN ###

- name: remove unneeded software
  package:
    name: '{{item}}'
    state: absent
  with_items: "{{software_to_del}}"

- name: install sudo
  package:
    name: sudo

- name: install wanted software
  package:
    name: '{{item}}'
  with_items: "{{software_to_add}}"

- name: allow AUR user to install software
  lineinfile:
    path: /etc/sudoers
    regexp: "^{{aur_user}}.*/usr/bin/pacman"
    line: >
      {{aur_user}} ALL=(ALL) NOPASSWD:
      /usr/bin/pacman *-S* , /usr/bin/pacman *-U*
    insertafter: EOF

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: 'Post-install'
### ⇐ UPSTREAM END ###

# Pacman mirrors (after updates)
- name: enable the chosen Pacman mirrors
  replace:
    path: "{{chroot}}/etc/pacman.d/mirrorlist"
    regexp: "^#(.*//(?:{{software_mirrors | regex_escape() | replace('\\ ', '|')}})/.*)$"
    replace: '\1'

- name: disable other Pacman mirrors
  replace:
    path: "{{chroot}}/etc/pacman.d/mirrorlist"
    regexp: "^([^#](?:(?!//(?:{{software_mirrors | regex_escape() | replace('\\ ', '|')}})/).)*)$"
    replace: '#\1'

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: pacman mirrors (after updates)
### ⇐ LOCAL COMMIT ###

- name: create systemd override-directories
  file:
    path: "/etc/systemd/{{item}}.d"
    state: directory
    mode: 0755
  with_items:
    - coredump.conf
    - logind.conf
    - system.conf
    - user.conf
    - system/tmp.mount

- name: secure systemd settings
  copy:
    content: "{{item.content}}"
    dest: "/etc/systemd/{{item.path}}.d/secure-{{nickname}}.conf"
    mode: 0644
  with_items:
    - path: coredump.conf
      content: |
        [Coredump]
        Storage=none
    - path: logind.conf
      content: |
        [Login]
        NAutoVTs=2
        KillUserProcesses=yes
        HandlePowerKey=reboot
        PowerKeyIgnoreInhibited=yes
    - path: system.conf
      content: |
        [Manager]
        DumpCore=no
        DefaultMemoryAccounting=yes
        DefaultLimitCORE=0
    - path: user.conf
      content: |
        [Manager]
        DumpCore=no
        DefaultMemoryAccounting=yes
        DefaultLimitCORE=0
    - path: system/tmp.mount
      content: |
        [Mount]
        Options=
        Options=mode=1777,strictatime,nosuid,nodev,noexec

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: 'Post-install'
### ⇐ LOCAL COMMIT ###