---
- name: create services template dir
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}"
    state: directory
    recurse: yes

- name: copy template config files
  template:
    src: Bastillefile.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"

- name: create config paths
  file:
    path: "/usr/local/bastille/templates/services/{{ role_name }}/{{ item }}/"
    state: directory
    recurse: yes
  loop:
    - etc/ssh
    - usr/share/skel

- name: copy sshd config file
  copy:
    src: sshd_config
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"

- name: copy motd file
  copy:
    src: motd
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/motd.template"

- name: copy skel files
  copy:
    src: "skel/{{ item }}"
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel/{{ item }}"
  loop:
    - dot.bash_profile
    - dot.cshrc
    - dot.emacs
    - dot.login
    - dot.login_conf
    - dot.profile
    - dot.shrc

- name: copy resolv.conf file
  template:
    src: resolv.conf.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/resolv.conf"

- name: copy hosts file
  template:
    src: hosts.j2
    dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/hosts"

- name: create jail
  shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
  args:
    creates: /usr/local/bastille/jails/{{ role_name }}

- name: start jail
  # https://github.com/BastilleBSD/bastille/issues/342
  shell: bastille start {{ role_name }} || true

- name: template jail
  shell: "bastille template {{ role_name }} services/{{ role_name }}"

# FIXME: loop over files and check size somehow, or always copy? use file module?
- name: copy skel files into jail template
  shell: cp -r /usr/local/bastille/templates/services/{{ role_name }}/usr/share/skel /usr/local/bastille/jails/{{ role_name }}/root/etc/
  # args:
  #   creates: /usr/local/bastille/jails/{{ role_name }}/root/etc/skel

# these will later be used by  bin/user.sh (see below) to be installed
# into the user homes
- name: copy user ssh keys
  copy:
    src: keys
    dest: "/usr/local/bastille/"

# create our login class, needed for rctl rules
- name: create jail login class
  blockinfile:
    path: /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
    append_newline: true
    prepend_newline: true
    block: |
      jail:\
          :tc=default:

# shell: |
#   ( echo "jail:\\"; printf "\t:tc=default:\n" ) >> /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
#   cap_mkdb /usr/local/bastille/jails/{{ role_name }}/root/etc/login.conf
#   touch /tmp/.ansiblepubloginconf
# args:
#   creates: /tmp/.ansiblepubloginconf

# create our own group[s]
- name: Manage groups
  loop: "{{ jailgroups }}"
  ansible.builtin.script: "bin/group.sh -g {{ item.name }} -a {{ item.state }} -d /usr/local/bastille/jails/{{ role_name }}/root"

# The normal  ansible user  module can't be  used here,  because we're
# talking  about jail  users  here. I  tried to  patch  the module  to
# support the  -R flag (https://github.com/ansible/ansible/pull/84371)
# but it makes no sense. Every  single function needs to be patched so
# that it works for jails.
#
# So, instead I'm just using this simple script, which does the job as
# well.
- name: Manage users
  loop: "{{ jailusers }}"
  ansible.builtin.script: "bin/user.sh -u {{ item.name }} -g '{{ item.groups | default(defaults.group) }}' -c {{ role_name }}-user -a {{ item.state }} -d {{ defaults.jailbase }}/{{ role_name }}/root"

- name: add dns entry for jail host
  community.dns.hetzner_dns_record:
    state: present
    zone: "{{ dns.zone }}"
    record: "{{ role_name }}.{{ dns.zone }}"
    type: AAAA
    ttl: 300
    value: "{{ jailip.stdout }}"
    hetzner_token: "{{ hetzner_dns_token }}"