- name: Bootstrap containers
  hosts: all
  strategy: linear
  gather_facts: false
  roles:
    - role: bootstrap

- name: Setup containers
  hosts: all
  strategy: mitogen_free
  # Can't gather facts before here.
  gather_facts: true
  vars:
    distro: "{{ansible_distribution}}"

  pre_tasks:
    - meta: end_play
      when:
        - ansible_facts.virtualization_type != "docker"

  roles:
    - role: package_manager
    - role: packages
    - role: sshd
    - role: sshd_container

  tasks:
    - name: Enable UTF-8 locale on Debian
      copy:
        dest: /etc/locale.gen
        content: |
          en_US.UTF-8 UTF-8
          fr_FR.UTF-8 UTF-8
        mode: u=rw,go=r
      when: ansible_pkg_mgr == 'apt'

    - name: Generate UTF-8 locale on Debian
      command:
        cmd: locale-gen
      changed_when: true
      when: ansible_pkg_mgr == 'apt'

    - name: Write Unicode into /etc/environment
      copy:
        dest: /etc/environment
        content: "UNICODE_SNOWMAN=\u2603\n"
        mode: u=rw,go=r

    - name: Install doas.conf
      copy:
        dest: /etc/doas.conf
        content: |
          permit :mitogen__group
          permit :root
        mode: u=rw,go=

    - name: Set root user password and shell
      user:
        name: root
        password: "{{ 'rootpassword' | password_hash('sha256') }}"
        shell: /bin/bash

    - name: Ensure /var/run/sshd exists
      file:
        path: /var/run/sshd
        state: directory
        mode: u=rwx,go=rx

    - name: Generate SSH host key
      command: ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
      args:
        creates: /etc/ssh/ssh_host_rsa_key

    - name: Ensure correct sudo group exists
      group:
        name: "{{sudo_group[distro]}}"

    - name: Ensure /etc/sentinel exists
      copy:
        dest: /etc/sentinel
        content: |
          i-am-mitogen-test-docker-image
        mode: u=rw,go=r

    - name: Ensure /etc/sudoers.d exists
      file:
        state: directory
        path: /etc/sudoers.d
        mode: 'u=rwx,go='

    - name: Install test-related sudo rules
      blockinfile:
        path: /etc/sudoers
        block: |
          # https://www.toofishes.net/blog/trouble-sudoers-or-last-entry-wins/
          %mitogen__sudo_nopw ALL=(ALL:ALL) NOPASSWD:ALL
          mitogen__has_sudo_nopw ALL = (mitogen__pw_required) ALL
          mitogen__has_sudo_nopw ALL = (mitogen__require_tty_pw_required) ALL

          Defaults>mitogen__pw_required targetpw
          Defaults>mitogen__require_tty requiretty
          Defaults>mitogen__require_tty_pw_required requiretty,targetpw

    - name: Prevent permission denied errors.
      file:
        path: /etc/sudoers.d/README
        state: absent

    - name: Install CentOS wheel sudo rule
      lineinfile:
        path: /etc/sudoers
        regexp: '#* *%wheel +ALL=(ALL) +ALL'
        line: "%wheel  ALL=(ALL)       ALL"
      when: ansible_os_family == 'RedHat'

    - name: Allow remote SSH root login
      lineinfile:
        path: /etc/pam.d/sshd
        regexp: '.*session.*required.*pam_loginuid.so'
        line: session optional pam_loginuid.so

    # Normally this would be removed by systemd-networkd-wait-online. If
    # present ssh works only for root. The message displayed is
    # > System is booting up. Unprivileged users are not permitted to log in
    # > yet. Please come back later. For technical details, see pam_nologin(8).
    - name: Remove login lockout
      file:
        path: /run/nologin
        state: absent

    - name: Install convenience script for running an straced Python
      copy:
        mode: 'u+rwx,go=rx'
        dest: /usr/local/bin/pywrap
        content: |
         #!/bin/bash
         exec strace -ff -o /tmp/pywrap$$.trace python2.7 "$@"'