---

- hosts: nategb
  become: true
  vars:
   sudoers:
    - n8
  tasks:

   - name: pacman -Syu
     tags: nategb
     pacman:
      upgrade: yes
      update_cache: yes
     when: ansible_distribution == "Archlinux"

   - name: pacman -S nginx, etc.
     tags: nategb
     pacman:
      name:
       - base-devel
       - git
       - tmux
       - tor
       - rsync
       - neovim
       - nginx
       - cgit
       - fcgiwrap
       - certbot
       - certbot-nginx
      update_cache: yes
      state: present
     when: ansible_distribution == "Archlinux"

   - name: gather package facts
     tags: nategb
     package_facts:
      manager: pacman
     when: ansible_distribution == "Archlinux"

   - name: install sudo if not already installed
     tags: nategb
     pacman:
      name:
       - sudo
      update_cache: yes
      state: present
     when: "'sudo' not in ansible_facts.packages"

   - name: Make sure 'wheel' group exists
     group:
      name: wheel
      state: present

   - name: Allow 'wheel' group to use sudo
     tags: nategb, sudo
     lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^%wheel'
      line: '%wheel ALL=(ALL) ALL'
      validate: 'visudo -cf %s'
     when: "'sudo' in ansible_facts.packages"

   - name: add users
     tags: nategb
     user:
      name: "{{ item }}"
      groups: wheel
      append: yes
      state: present
     with_items: "{{ sudoers }}"

   - name: add ssh keys to users
     tags: nategb
     authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}"
     with_items: "{{ sudoers }}"


   - name: secure sshd
     lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      state: present
      validate: 'sshd -T -f %s'
     with_items:
      - regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
      - regexp: "^PermitRootLogin"
        line: "PermitRootLogin prohibit-password"

   - name: copy nginx.conf to nginx on server
     tags: nginx, nategb
     copy:
      src: files/etc/nginx.conf
      dest: /etc/nginx/nginx.conf
      owner: root
      group: root
      mode: 0644

   - name: mkdir conf.d
     tags: nginx, nategb
     file:
      path: /etc/nginx/conf.d
      state: directory
      mode: 0755

   - name: copy nategb.conf to nginx on server
     tags: nginx, nategb
     copy:
      force: no
      src: files/conf.d/nategb.conf
      dest: /etc/nginx/conf.d/nategb.conf
      owner: root
      group: root
      mode: 0644

   - name: copy cgit.conf to nginx on server
     tags: nginx, nategb
     copy:
      force: no
      src: files/conf.d/cgit.conf
      dest: /etc/nginx/conf.d/cgit.conf
      owner: root
      group: root
      mode: 0644

   - name: copy cgitrc to server
     tags: nginx, cgit, nategb
     copy:
      src: files/etc/cgitrc
      dest: /etc/cgitrc
      owner: root
      group: root
      mode: 0644

   - name: create /var/www/nategb
     tags: nginx, nategb
     file:
      path: /var/www/nategb
      state: directory
      mode: 0755

#can an absolute path be given here?
   - name: copy web files
     synchronize:
      src: files/nategb-root/
      dest: /var/www/nategb
      rsync_opts:
       - "-r"
       - "-d"
       - "-v"
       - "-l"
       - "-P"
       - "--delete"

   - name: start nginx service
     tags: nginx, nategb
     service:
      name: nginx
      enabled: yes
      state: started

   - name: reload nginx service
     tags: nginx, nategb
     service:
      name: nginx
      state: reloaded

   - name: start fcgiwrap service
     tags: nategb
     service:
      name: fcgiwrap
      enabled: yes
      state: started

   - name: start fcgiwrap socket
     tags: nategb
     service:
      name: fcgiwrap.socket
      enabled: yes
      state: started