---

- name: mount rw
  hosts:
    - pikvm
  become: true
  pre_tasks:
    - name: mount rw
      command: /usr/local/bin/rw

- name: set-up eudev
  hosts: suricata
  become: true
  roles:
    - eudev
  tags: eudev

- name: basic roles
  hosts:
    - caladan
    - fugu
    - narwhal
    - snitch
    - suricata
    - pikvm
    - cuina
    - lb
  become: true
  roles:
    - repos
    - basic

- name: cryptoraid
  hosts:
    - suricata
  become: true
  roles:
    - cryptoraid
  tags: raid

- name: mounts
  hosts:
    - suricata
    - cuina
  become: true
  roles:
    - mounts

- name: nfs-server
  hosts:
    - suricata
  become: true
  roles:
    - nfs-server
  tags: nfs

- name: usercfg
  hosts:
    - suricata
  become: true
  roles:
    - usercfg

- name: lbu.conf
  hosts:
    - suricata
    - cuina
  become: true
  roles:
    - lbu_conf
  tags: lbu_conf

- name: setup_apkcache
  hosts:
    - suricata
    - cuina
  become: true
  roles:
    - apk_cache

- name: common roles
  hosts:
    - caladan
    - fugu
    - narwhal
    - snitch
    - suricata
    - pikvm
    - cuina
    - lb
  become: true
  roles:
    - users
    - sshd
  vars:
    users:
      - ansible
      - btrbk
      - builder
      - media
      - dags
      - gopass
      - rilla
      - woodpecker
  tags: common

- name: quality of life tools
  hosts:
    - caladan
    - fugu
    - narwhal
    - suricata
    - cuina
    - lb
  become: true
  roles:
    - quality_of_life

- name: pi_fan_hwpwm
  hosts:
    - suricata
  become: true
  roles:
    - pi_fan_hwpwm

- name: docker
  hosts:
    - caladan
    - narwhal
  become: true
  roles:
    - docker

- name: podman
  hosts:
    - suricata
  become: true
  roles:
    - podman
  tags: podman

- name: k3s
  hosts:
    - suricata
  become: true
  roles:
    - k3s
  tags: k3s

- name: wifi setup
  hosts: snitch
  become: true
  roles:
    - wifi

- name: btrbk
  hosts:
    - narwhal
    - suricata
  become: true
  roles:
    - btrbk
  tags: btrbk

- name: caladan-specific things
  hosts: caladan
  become: true
  roles:
    - tinyproxy

- name: wireguard
  hosts:
    - caladan
    - fugu
  become: true
  roles:
    - wireguard
  vars_files:
    - 'vars/vault.yaml'

- name: notifiers
  hosts:
    - suricata
  become: true
  roles:
    - notifiers
  tags: notifiers

- name: set up NUT
  hosts:
    - narwhal
    - pikvm
    - suricata
  become: true
  roles:
    - nut
  tags: nut

- name: setup gopass
  become: true
  hosts:
    - caladan
    - fugu
    - narwhal
    # - pikvm
  roles:
    - gopass

- name: setup DAGs
  become: true
  hosts:
    - pikvm
  roles:
    - dags
  tags: dags

- name: set up pikvm's ssl certs
  hosts:
    - pikvm
  become: true
  vars:
    domain: monotremata.xyz

- name: lbu commit
  hosts:
    - snitch
    - suricata
  become: true
  tags: lbu
  post_tasks:
    - name: lbu commit
      # I use the shell module instead of the lbu one because the lbu module
      # doesn't seem to work with encryption
      shell:
        cmd: lbu commit
      environment:
        PASSWORD: '{{ lbu_password }}'
      when: ansible_distribution == "Alpine" and alpine_mode in ["diskless", "data"]

    - name: create lbu backups directory
      file:
        state: directory
        path: /mnt/backups/lbu

    # todo: use less hardcoding
    - name: make a more permanent lbu backup
      copy:
        src: "/media/mmcblk0p2/{{ ansible_hostname }}.apkovl.tar.gz.aes-256-cbc"
        dest: "/mnt/backups/lbu/{{ ansible_hostname }}.apkovl.tar.gz.aes-256-cbc.{{ ansible_date_time.iso8601 }}"
        remote_src: true

- name: mount ro
  hosts:
    - pikvm
  become: true
  post_tasks:
    - name: mount ro
      command: /usr/local/bin/ro