- hosts: all
  tasks:
  # General
  - name: auto-upgrades
    apt:
      name: unattended-upgrades
  - name: Install packages
    apt:
      name: "{{ packages }}"
    vars:
      packages:
        - unattended-upgrades
        - htop
        - screen
        - tmux
        - nftables
  - name: Remove useless packages from the cache
    apt:
      autoclean: yes 
  - name: Remove dependencies that are no longer required
    apt:
      autoremove: yes 

  # Users
  - name: Add users
    user:
      name: "{{ item.name }}"
      groups: "{{ item.groups }}"
      password: "{{ item.password }}"
      update_password: "on_create"
      shell: "/bin/bash"
    with_items:
      - name: markus
        groups: "sudo"
        password: "$6$ukExBdf1pxl30$j8PzbiSXFOEynLfWJnd7yXJjQ5FGvbl9mP0ysw6rUHjM2qOQd3sR.6l5ezYFAzboHeJNmIiXsgGmrXn/2n72J/"
      - name: neunr
        groups: "sudo"
        password: "$6$3Ppvwt/4vrHp55xb$a/DqR2DlJJ5LzUWTvSHw3.Wo.94dZuLawaN.2rK0gvliBxe4yTEyia3XwNrXQqkRVydQRnv3nJNzRft1X809G0"

  # SSH
  - name: Set up authorized keys for markus
    authorized_key:
      user: markus
      key:  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILUiwpETwMRVueebO8aC6fBv0uYvuByJPPnpczP8kAIP markus"
  - name: Set up authorized keys for neunr
    authorized_key:
      user: neunr
      key:  "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyWcvk8smOkAtTBI0WDw+VmiGw4jOxvCt1LsCXJMrO+ 9R"
  - name: Disable Password Authentication
    lineinfile:
          dest=/etc/ssh/sshd_config
          regexp='^#PasswordAuthentication'
          line="PasswordAuthentication no"
          state=present
    notify:
      - restart ssh
  - name: Disable Root Login
    lineinfile:
          dest=/etc/ssh/sshd_config
          regexp='^#PermitRootLogin'
          line="PermitRootLogin no"
          state=present
    notify:
      - restart ssh

  # Networking
  - name: Create nftables config
    template:
      src: templates/nftables.conf.j2
      dest: /etc/nftables.conf
    notify:
      - reload nftables
  - name: enable nftables service
    systemd:
      name: nftables
      enabled: yes

  # Jitsi
  - name: Configure signing key for Jitsi repository.
    apt_key:
      id: "66A9CD0595D6AFA247290D3BEF8B479E2DC1389C"
      url: "https://download.jitsi.org/jitsi-key.gpg.key"
      state: present
  - name: Install Jitsi apt repo.
    apt_repository:
      repo: "deb https://download.jitsi.org/ stable/"
      state: "present"
      # Ansible will automatically add the ".list" suffix.
      filename: /etc/apt/sources.list.d/jitsi_meet
  - name: Set debconf options for jitsi-meet.
    debconf:
      name: "{{ item.name }}"
      question: "{{ item.question }}"
      value: "{{ item.value }}"
      vtype: "{{ item.vtype }}"
    with_items:
      # Test if these three work as intended
      - name: jitsi-meet
        question: jitsi-meet/cert-choice
        value: "I want to use my own certificate"
        vtype: string
      - name: jitsi-meet
        question: jitsi-meet/cert-path-crt
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
        vtype: string
      - name: jitsi-meet
        question: jitsi-meet/cert-path-key
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
        vtype: string

      - name: jitsi-videobridge
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jicofo
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-prosody
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-prosody
        question: jitsi-meet-prosody/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-web-config
        question: jitsi-videobridge/jvb-hostname
        value: "{{ jitsi_meet_server_name }}"
        vtype: string
      - name: jitsi-meet-web-config
        question: jitsi-meet/cert-choice
        value: "I want to use my own certificate"
        vtype: string

      # The following two do not seem to work as intended
      - name: jitsi-meet-web-config
        question: jitsi-meet/cert-path-crt
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/fullchain.pem"
        vtype: string
      - name: jitsi-meet-web-config
        question: jitsi-meet/cert-path-key
        value: "/etc/letsencrypt/live/{{ jitsi_meet_server_name }}/privkey.pem"
        vtype: string
  - name: Install Jitsi Meet
    apt:
      name: jitsi-meet
      state: latest
      update_cache: yes 
      cache_valid_time: 3600

  # Configuration
  - name: Overwrite Nginx Site Config
    template:
      src: templates/nginx_site_config.j2
      dest: "/etc/nginx/sites-available/{{ jitsi_meet_server_name }}.conf"
    notify:
      - restart nginx
  - name: Overwrite Nginx Config
    template:
      src: templates/nginx.conf.j2
      dest: "/etc/nginx/nginx.conf"
    notify:
      - restart nginx
  - name: Overwrite Jitsi Web Config
    template:
      src: templates/jitsi-config.js.j2
      dest: "/etc/jitsi/meet/{{ jitsi_meet_server_name }}-config.js"

  roles:
    - role: ansible-letsencrypt
      letsencrypt_email: "fnord@{{ jitsi_meet_server_name }}"
      letsencrypt_cert_domains:
        - "{{ jitsi_meet_server_name }}"
      tags: letsencrypt

  handlers:
  - name: restart ssh
    service:
      name=sshd
      state=restarted
  - name: reload nftables
    service:
      name=nftables
      state=reloaded
  - name: restart nginx
    service:
      name=nginx
      state=restarted