---
- name: load distrubtion specific variables
  include_vars: "{{ item }}"
  with_first_found:
    - files:
        - "{{ ansible_distribution_release }}.yml"
        - "{{ ansible_distribution }}.yml"
      skip: true

- name: disable recommends, suggests and pdiffs
  loop:
  - 02no-recommends
  - 02no-pdiffs
  copy:
    src: "{{ item }}"
    dest: /etc/apt/apt.conf.d/

- name: install base system tools
  apt:
    name:
    - htop
    - dstat
    - lsof
    - gawk
    - psmisc
    - less
    - debian-goodies
    - screen
    - mtr-tiny
    - tcpdump
    - iptraf-ng
    - ethtool
    - unp
    - dbus
    - libpam-systemd
    - aptitude
    - ca-certificates
    - file
    - man-db
    - manpages
    - nano
    state: present

- name: install extra packages
  apt:
    name: "{{ base_packages_extra_host | union(base_packages_extra_group) }}"
    state: present

- name: install rngd
  when: base_entropy_generator == 'rngd'
  block:
  - name: install rngd
    apt:
      name: "{{ base_rngd_package_name }}"
      state: present

  - name: make sure haveged is removed/purged
    apt:
      name: haveged
      state: absent
      purge: yes


- name: install haveged
  when: base_entropy_generator == 'haveged'
  block:
  - name: install haveged
    apt:
      name: haveged
      state: present

  - name: make sure rngd is removed/purged
    apt:
      name: "{{ base_rngd_package_name }}"
      state: absent
      purge: yes


- name: Ensure /root is not world accessible
  file:
    path: /root
    mode: 0700
    owner: root
    group: root
    state: directory

- name: disable net/fs/misc kernel modules
  copy:
    content: |
      {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %}
      install {{ item }} /bin/true
      {% endfor %}
    dest: /etc/modprobe.d/disablemod.conf
    owner: root
    group: root
    mode: 0644

- name: Change various sysctl-settings, look at the sysctl-vars file for documentation
  loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}"
  loop_control:
    label: "{{ item.key }} = {{ item.value }}"
  sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
    ignoreerrors: yes

- name: set kernel command line options
  when: install is defined and install.kernel_cmdline is defined
  lineinfile:
    path: /etc/default/grub
    regexp: '^#?GRUB_CMDLINE_LINUX='
    line: 'GRUB_CMDLINE_LINUX="{{ install.kernel_cmdline | join(" ") }}"'
  notify: update grub

- name: apply stability fix/workaround for machines using intel NIC
  when: base_intel_nic_stability_fix
  import_tasks: intel-nic.yml