---
- name: Prepare Archliux host
  hosts: all
  become: true
  gather_facts: false
  tasks:
    - name: Install python, since it's not installed by default
      ansible.builtin.raw: pacman --noconfirm -Sy python
      changed_when: false
      when: lookup('env', 'MOLECULE_DISTRO') == 'generic/arch'

- name: Wrapper playbook for kitchen testing "ansible-os-hardening" with custom vars for testing
  hosts: all
  become: true
  environment:
    http_proxy: "{{ lookup('env', 'http_proxy') | default(omit)  }}"
    https_proxy: "{{ lookup('env', 'https_proxy') | default(omit) }}"
    no_proxy: "{{ lookup('env', 'no_proxy') | default(omit) }}"
  tasks:
    - name: Set ansible_python_interpreter to "/usr/bin/python3" on fedora
      ansible.builtin.set_fact:
        ansible_python_interpreter: /usr/bin/python3
      when: ansible_facts.distribution == 'Fedora'

    - name: Block update of Grub, because of error
      ansible.builtin.dpkg_selections:
        name: grub-pc
        selection: hold
      when: ansible_os_family == 'Debian'

    # we need to free up space, since the /boot partition in some Vagrant images is
    # pretty small and system updates might fail
    - name: Find all initrd.img to delete them
      ansible.builtin.find:
        paths: /boot
        patterns: "initrd.img*"
      register: find_results
      when: ansible_os_family == 'Debian'

    - name: Delete all initrd.img to free space on /boot
      ansible.builtin.file:
        path: "{{ item['path'] }}"
        state: absent
      with_items: "{{ find_results['files'] }}"
      when: ansible_os_family == 'Debian'

    - name: Run the equivalent of "apt-get update && apt-get upgrade"
      ansible.builtin.apt:
        upgrade: safe
        update_cache: true
      when: ansible_os_family == 'Debian'

    - name: Install required tools on SuSE
      # cannot use zypper module, since it depends on python-xml
      ansible.builtin.command: zypper -n install python-xml
      changed_when: false
      when: ansible_facts.os_family == 'Suse'

    - name: Install required tools on fedora
      ansible.builtin.dnf:
        name:
          - python
          - findutils
          - procps-ng
          - python3-libselinux
      when: ansible_facts.distribution == 'Fedora'

    - name: Install required tools on Arch
      community.general.pacman:
        name:
          - awk
        state: present
        update_cache: true
      when: ansible_facts.os_family == 'Archlinux'

    - name: Install required tools on RHEL # noqa ignore-errors
      ansible.builtin.dnf:
        name:
          - openssh-clients
          - openssh
        state: present
        update_cache: true
      ignore_errors: true

    - name: Create recursing symlink to test minimize access
      ansible.builtin.shell: rm -f /usr/bin/zzz && ln -s /usr/bin /usr/bin/zzz
      changed_when: false

    - name: Unmount EFI partition to get rid of vfat filesystem (qemu has no firmware image that inspec can detect)
      ansible.posix.mount:
        path: /boot/efi
        state: unmounted
      when: ansible_facts.distribution == 'Fedora'

    - name: Include YUM prepare tasks
      ansible.builtin.include_tasks: prepare_tasks/yum.yml
      when: ansible_facts.os_family == 'RedHat'