---
- name: COMMON | Systempakete aktualisieren und upgraden
  ansible.builtin.apt:
    update_cache: true
    upgrade: dist
    autoremove: true
    autoclean: true

- name: COMMON | Notwendige Pakete installieren
  ansible.builtin.apt:
    name:
      - ufw
      - fail2ban
      - unattended-upgrades
      - apt-listchanges
      - docker-ce
      - python3-pip
      - chrony
      - lvm2
      - cephadm
      - ceph-common
    state: present

- name: COMMON | Chrony Dienst starten und aktivieren
  ansible.builtin.service:
    name: chronyd
    state: started
    enabled: true

- name: COMMON | Docker Dienst starten und aktivieren
  ansible.builtin.service:
    name: docker
    state: started
    enabled: true

- name: COMMON | Einen dedizierten Admin-Benutzer erstellen
  ansible.builtin.user:
    name: "{{ admin_user }}"
    password: "{{ admin_password}}"
    shell: /bin/bash
    groups: sudo,docker
    append: true
    state: present

- name: COMMON | SSH-Schlüssel für den Admin-Benutzer einrichten
  ansible.posix.authorized_key:
    user: "{{ admin_user }}"
    key: "{{ item }}"
    state: present
  with_items: "{{ authorized_keys }}"

- name: COMMON | cephadm-Benutzer erstellen
  ansible.builtin.user:
    name: "cephadm"
    password: "{{ cephadm_password }}"
    shell: /bin/bash
    groups: sudo,docker
    append: yes
    state: present

- name: COMMON | .ssh Verzeichnis für cephadm-Benutzer erstellen
  ansible.builtin.file:
    path: /home/cephadm/.ssh
    state: directory

- name: COMMON | Passwortloses Sudo für cephadm-Benutzer erlauben
  ansible.builtin.copy:
    dest: "/etc/sudoers.d/91-cephadm-nopasswd"
    content: "cephadm ALL=(ALL) NOPASSWD: ALL"
    mode: '0440'
    validate: 'visudo -cf %s'

- name: COMMON | ed25519 SSH-Schlüssel für cephadm-Benutzer generieren (nur auf dem ersten Manager)
  community.crypto.openssh_keypair:
    path: /home/cephadm/.ssh/id_ed25519
    type: ed25519
    owner: cephadm
    group: cephadm
    mode: '0600'
  when: inventory_hostname == groups['managers'][0]

- name: COMMON | Öffentlichen SSH-Schlüssel von cephadm abrufen
  ansible.builtin.slurp:
    src: /home/cephadm/.ssh/id_ed25519.pub
  register: cephadm_ssh_pub_key
  when: inventory_hostname == groups['managers'][0]

- name: COMMON | Öffentlichen SSH-Schlüssel von cephadm auf allen Knoten verteilen
  ansible.posix.authorized_key:
    user: cephadm
    key: "{{ hostvars[groups['managers'][0]]['cephadm_ssh_pub_key']['content'] | b64decode }}"
    state: present

- name: COMMON | Automatische Sicherheitsupdates konfigurieren
  ansible.builtin.copy:
    src: assets/50unattended-upgrades
    dest: /etc/apt/apt.conf.d/50unattended-upgrades
    owner: root
    group: root
    mode: '0644'

- name: COMMON | Periodische Auto-Updates aktivieren
  ansible.builtin.copy:
    src: assets/20auto-upgrades
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    owner: root
    group: root
    mode: '0644'