---
- name: install basic packages
  yum:
    name: "{{ packages }}"
  vars:
    packages:
    - langpacks-en 
    - langpacks-de 
    - glibc-all-langpacks
    - podman
    - sysstat
    - mailx
    - bind-utils
    - epel-release
    - setroubleshoot-server
    - socat
    - unzip
    - wget
    - git
    - bzip2
    - golang

- name: Enable SELinux
  selinux:
    policy: targeted
    state: enforcing

- name: disable kdump
  systemd:
    name: kdump
    enabled: no

- name: Add Group beieli
  group:
    name: beieli
    gid: 1000
    state: present

- name: Add User beieli
  user:
    name: beieli
    shell: /bin/bash
    uid: 1000
    group: beieli
    
- name: Change permission of /home/beieli
  file:
    path: /home/beieli
    state: directory
    owner: beieli
    group: beieli
    mode: '0755'

- name: Create /home/beieli/mini-beieli-web
  file:
    path: /home/beieli/mini-beieli-web
    state: directory
    owner: beieli
    group: beieli
    mode: '0755'

- name: Create /home/beieli/mini-beieli-lorahandler
  file:
    path: /home/beieli/mini-beieli-lorahandler
    state: directory
    owner: beieli
    group: beieli
    mode: '0755'

- name: Allow apache to read files in /home/beieli/mini-beieli-web
  sefcontext:
    target: '/home/beieli/mini-beieli-web(/.*)?'
    setype: httpd_sys_content_t
    state: present
  notify:
    - Restore selinux context

- name: allow root SSH with key only
  lineinfile: dest=/etc/ssh/sshd_config
              regexp="^PermitRootLogin"
              line="PermitRootLogin without-password"
              state=present
  notify: Restart ssh

- name: create /etc/hosts from template
  template:
    src: hosts.j2
    dest: /etc/hosts
    owner: root
    group: root
    backup: yes
    mode: '0644'

- name: install zabbix agent
  yum:
    name: zabbix40-agent

- name: enable zabbix agent
  systemd:
    name: zabbix-agent
    enabled: yes

- name: zabbix config
  lineinfile: dest=/etc/zabbix/zabbix_agentd.conf
              regexp="^Server="
              line="Server={{ zabbix_server_ip }}"
              state=present
  notify: Restart zabbix-agent

- name: install postfix
  yum:
    name: postfix

- name: enable postfix
  systemd:
    name: postfix
    enabled: yes

- name: postfix config
  lineinfile: dest=/etc/postfix/main.cf
              regexp="^relayhost"
              line="relayhost = [{{ mailserver }}]:25"
              state=present
  notify: Restart postfix

- name: postfix config
  lineinfile: dest=/etc/postfix/main.cf
              regexp="^myhostname"
              line="myhostname = {{ ansible_hostname }}.{{ my_domain }}"
              state=present
  notify: Restart postfix

- name: create .forward file
  copy:
    dest: "/root/.forward"
    content: "{{ mail_forward_address }}\n"

- name: install fail2ban
  yum:
    name: fail2ban

- name: enable fail2ban
  systemd:
    name: fail2ban
    enabled: yes

- name: copy fail2ban config
  copy:
    src: jail.local
    dest: /etc/fail2ban/jail.local
    mode: '0644'
  notify: Restart fail2ban

- name: setup firewalld rules - services
  firewalld:
    service: "{{ item }}"
    permanent: yes
    state: enabled
  loop:
    - ssh
    - http
    - https
  notify: reload firewalld

- name: setup firewalld rules - remove services
  firewalld:
    service: "{{ item }}"
    permanent: yes
    state: disabled
  loop:
    - cockpit
  notify: reload firewalld

- name: setup firewalld rules - ports
  firewalld:
    port: "{{ item }}"
    permanent: yes
    state: enabled
  loop:
    - 10050/tcp
  notify: reload firewalld