- name: System - apt update and apt upgrade
  apt: update_cache=yes upgrade=yes
  when: debpkg_mode or nixpkg_mode
  # SEE http://archive.vn/DKJjs#parameter-upgrade

- name: Install required security updates
  apt:
    pkg:
      - tzdata
      - linux-libc-dev
  when: debpkg_mode or nixpkg_mode
# SEE https://github.com/georchestra/ansible/issues/55#issuecomment-588313638
# Without this, a similar error is faced
- name: Install Ansible dependencies
  apt:
    pkg:
      - acl
  when: debpkg_mode or nixpkg_mode

- name: Install security tools
  apt:
    pkg:
      - nftables
      - fail2ban
    update_cache: yes
    cache_valid_time: 3600
  when: debpkg_mode or nixpkg_mode

- name: Use nftables backend
  shell: |
    update-alternatives --set iptables /usr/sbin/iptables-nft
    update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
    update-alternatives --set arptables /usr/sbin/arptables-nft
    update-alternatives --set ebtables /usr/sbin/ebtables-nft
    systemctl restart ufw
  when: debpkg_mode or nixpkg_mode

- name: Create Sysstat log directory
  file:
    path: /var/log/sysstat
    state: directory
  when: debpkg_mode or nixpkg_mode
    
- name: Install other useful tools
  apt:
    pkg:
      - bwm-ng
      - htop
      - net-tools
      - ngrep
      - sysstat
      - vim-tiny
    update_cache: yes
  when: debpkg_mode or nixpkg_mode

- name: Configure sysstat
  copy:
    src: files/sysstat.sysstat
    dest: /etc/sysstat/sysstat
  when: debpkg_mode or nixpkg_mode

- name: Configure default sysstat
  copy:
    src: files/default.sysstat
    dest: /etc/default/sysstat
  when: debpkg_mode or nixpkg_mode


- name: Adjust APT update intervals
  copy:
    src: files/apt_periodic
    dest: /etc/apt/apt.conf.d/10periodic
  when: debpkg_mode or nixpkg_mode

# Find platform architecture and set as a variable
- name: finding platform architecture
  shell: if [ $(uname -m) = "aarch64" ]; then echo "arm64";  else echo "amd64"; fi
  register: platform_output
  tags:
    - update
    - update-only
- set_fact:
    platform: "{{ platform_output.stdout }}"
  tags:
    - update
    - update-only
  when: debpkg_mode or nixpkg_mode or stage2_nix

- name: create overrides dir
  file:
    state: directory
    owner: root
    group: root
    path: /etc/systemd/system/systemd-resolved.service.d
    mode: '0700'
  when: debpkg_mode or nixpkg_mode

- name: Custom systemd overrides for resolved
  copy:
    src: files/systemd-resolved.conf
    dest: /etc/systemd/system/systemd-resolved.service.d/override.conf
  when: debpkg_mode or nixpkg_mode

- name: System - Create services.slice
  template:
    src: files/services.slice.j2
    dest: /etc/systemd/system/services.slice
  when: debpkg_mode or nixpkg_mode


- name: System - systemd reload
  systemd: daemon_reload=yes
  when: debpkg_mode or nixpkg_mode

- name: Configure journald
  copy:
    src: files/journald.conf
    dest: /etc/systemd/journald.conf
  when: debpkg_mode or nixpkg_mode

- name: reload systemd-journald
  systemd:
   name: systemd-journald
   state: restarted
  when: debpkg_mode or nixpkg_mode

- name: Configure logind
  copy:
    src: files/logind.conf
    dest: /etc/systemd/logind.conf
  when: debpkg_mode or nixpkg_mode

- name: reload systemd-logind
  systemd:
   name: systemd-logind
   state: restarted
  when: debpkg_mode or nixpkg_mode

- name: enable timestamps for shell history
  copy:
    content: |
      export HISTTIMEFORMAT='%d/%m/%y %T '
    dest: /etc/profile.d/09-history-timestamps.sh
    mode: 0644
    owner: root
    group: root
  when: debpkg_mode or nixpkg_mode

- name: set hosts file
  copy:
    content: |
      127.0.0.1   localhost
      ::1         localhost
    dest: /etc/hosts
    mode: 0644
    owner: root
    group: root
  when: debpkg_mode or stage2_nix

#Set Sysctl params for restarting the OS on oom after 10
- name: Set vm.panic_on_oom=1
  ansible.builtin.sysctl:
    name: vm.panic_on_oom
    value: '1'
    state: present
    reload: yes
  when: debpkg_mode or nixpkg_mode

- name: Set kernel.panic=10
  ansible.builtin.sysctl:
    name: kernel.panic
    value: '10'
    state: present
    reload: yes
  when: debpkg_mode or nixpkg_mode

- name: configure system
  ansible.posix.sysctl:
    name: 'net.core.somaxconn'
    value: 16834

- name: configure system
  ansible.posix.sysctl:
    name: 'net.ipv4.ip_local_port_range'
    value: '1025 65000'

#Set Sysctl params specific to keepalives
- name: Set net.ipv4.tcp_keepalive_time=1800
  ansible.builtin.sysctl:
    name: net.ipv4.tcp_keepalive_time
    value: 1800
    state: present
  when: debpkg_mode or nixpkg_mode
- name: Set net.ipv4.tcp_keepalive_intvl=60
  ansible.builtin.sysctl:
    name: net.ipv4.tcp_keepalive_intvl
    value: 60
    state: present
  when: debpkg_mode or nixpkg_mode