# code: language=ansible

- name: Install base packages from distro package manager
  become: true
  ansible.builtin.package:
    name:
      - fuse-overlayfs
    state: present

# http://ftp.us.debian.org/debian/pool/main/
- name: Install packages from debian unstable repository
  become: true
  ansible.builtin.apt:
    deb: "{{ item }}"
    state: present
  loop:
    - http://ftp.us.debian.org/debian/pool/main/n/netavark/netavark_1.4.0-3_amd64.deb
    - http://ftp.us.debian.org/debian/pool/main/a/aardvark-dns/aardvark-dns_1.4.0-3_amd64.deb
    - http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman_4.4.0+ds1-1_amd64.deb
    - http://ftp.us.debian.org/debian/pool/main/libp/libpod/podman-docker_4.4.0+ds1-1_amd64.deb

- name: Add the 'containers' user
  become: true
  ansible.builtin.user:
    name: containers
    password: "!"
    system: false
    shell: /bin/bash
    comment: User running unprivileged containers
    state: present

- name: Add admin pub keys to authorized_keys
  become: true
  ansible.posix.authorized_key:
    user: containers
    key: "{{ item }}"
    state: present
  loop: "{{ vault_containers_authorized_keys }}"

- name: Check if user is lingering
  ansible.builtin.stat:
    path: "/var/lib/systemd/linger/containers"
  register: user_lingering

- name: Enable lingering is needed
  become: true
  ansible.builtin.command: "loginctl enable-linger containers"
  when:
    - not user_lingering.stat.exists

- name: Allow unprivileged users to open ports
  become: true
  ansible.posix.sysctl:
    name: net.ipv4.ip_unprivileged_port_start
    value: "20"
    sysctl_set: true

- name: Enable podman socket
  become: true
  become_user: containers
  ansible.builtin.systemd:
    scope: user
    name: podman.socket
    enabled: true
    state: started

- name: Enable podman auto-update timer
  become_user: containers
  become: true
  ansible.builtin.systemd:
    name: podman-auto-update.timer
    enabled: true

- name: Copy default containers config file
  become: true
  ansible.builtin.copy:
    remote_src: true
    src: /usr/share/containers/containers.conf
    dest: /etc/containers/containers.conf
    mode: "0644"

- name: Set podman default subnet into small /24 networks
  become: true
  ansible.builtin.lineinfile:
    path: /etc/containers/containers.conf
    regex: "^(.*)default_subnet = (.*)$"
    line: 'default_subnet = "172.16.0.0/24"'

- name: Force podman netavark network backend instead of CNI
  become: true
  ansible.builtin.lineinfile:
    path: /etc/containers/containers.conf
    regexp: "^(.*)network_backend = (.*)$"
    insertafter: "\\[network\\]"
    line: 'network_backend = "netavark"'
  # If regular expressions are passed to both regexp and insertafter, insertafter is only honored if no match for regexp is found.

# - name: Reboot
#   become: true
#   ansible.builtin.reboot: