---

- name: Install podman for anubis container
  ansible.builtin.package:
    name: podman
    state: present
  tags:
  - config
  - anubis

- name: Add anubis group
  ansible.builtin.group:
    name: anubis
    system: yes
  tags:
  - config
  - anubis

- name: Add anubis user
  ansible.builtin.user:
    name: anubis
    group: anubis
    system: yes
  tags:
  - config
  - anubis

- name: install subuid file
  ansible.builtin.copy:
    dest: /etc/subuid
    src: subuid
    owner: root
    group: root
    mode: '0644'
  tags:
  - config
  - anubis

- name: install subgid file
  ansible.builtin.copy:
    dest: /etc/subgid
    src: subuid
    owner: root
    group: root
    mode: '0644'
  tags:
  - config
  - anubis

- name: Check semanage ports
  ansible.builtin.command: semanage port -l
  register: semanageoutput
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - anubis

- name: Set ports so httpd can bind to 3923
  ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3923
  when: semanageoutput.stdout.find("3923") == -1

- name: Create the directory to store the anubis policy file
  ansible.builtin.file:
    dest: /srv/anubis/cfg/
    state: directory
    recurse: true
    owner: root
    group: root
    mode: '0755'
  tags:
  - config
  - anubis

- name: Add the anubis bot config file
  ansible.builtin.copy:
    src: botPolicy.yaml
    dest: /srv/anubis/cfg/botPolicy.yaml
    owner: root
    group: root
    mode: '0644'
  notify:
  - Restart anubis-el
  tags:
  - config
  - anubis

- name: Set SELinux context for anubis directory
  community.general.sefcontext:
    target: "/srv/anubis(/.*)?"
    setype: container_file_t
    state: present
  tags:
  - config
  - anubis
  - selinux

- name: Apply SELinux changes to anubis directory
  ansible.builtin.command: restorecon -irv "/srv/anubis/"
  register: restorecon_output
  changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0
  tags:
  - config
  - anubis
  - selinux

# This service calls podman to pull the anubis container,
# then sets various env variables for the service and runs it.

- name: Add the anubis systemd service
  ansible.builtin.copy:
    src: anubis.service
    dest: /etc/systemd/system/anubis.service
    owner: root
    group: root
    mode: '0644'
  tags:
  - config
  - anubis
  notify:
  - Reload systemd

- name: Add the anubis env file
  ansible.builtin.template:
    src: env.j2
    dest: /srv/anubis/cfg/env
    owner: root
    group: root
    mode: '0644'
  notify:
  - Restart anubis-el

- name: Enable and make sure pod is started
  ansible.builtin.systemd:
    name: anubis
    state: started
    enabled: true
  tags:
  - config
  - anubis