---

dependency: {}

driver:

  name: vagrant

  provider:

    name: virtualbox

lint:

  name: yamllint

  options:

    config-file: ../../.yamllint.yml

platforms:

  - name: parameters-mandatory-bookworm

    groups:

      - parameters-mandatory

    box: debian/bookworm64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

  - name: parameters-optional-bookworm

    groups:

      - parameters-optional

    box: debian/bookworm64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

provisioner:

  name: ansible

  config_options:

    defaults:

      force_valid_group_names: "ignore"

      interpreter_python: "/usr/bin/python3"

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

scenario:

  name: default

verifier:

  name: testinfra

  lint:

    name: flake8

        network_name: private_network

        type: static

      - auto_config: true

        ip: fd00::192:168:56:2

        network_name: private_network

        netmask: 116

        type: static

  - name: client1

    groups:

      - client

      - client-allowed

    box: debian/bookworm64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.3

        network_name: private_network

        type: static

      - auto_config: true

        ip: fd00::192:168:56:3

        network_name: private_network

        netmask: 116

        type: static

  - name: client2

    groups:

      - client

      - client-disallowed

    box: debian/bookworm64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.4

        network_name: private_network

        type: static

      - auto_config: true

        ip: fd00::192:168:56:4

        network_name: private_network

        netmask: 116

        type: static

  - name: parameters-mandatory-bookworm

    groups:

      - parameters-mandatory

    box: debian/bookworm64

    memory: 384

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.21

        network_name: private_network

        type: static

      - auto_config: true

        ip: fd00::192:168:56:21

        network_name: private_network

        netmask: 116

        type: static

  - name: parameters-optional-bookworm

    groups:

      - parameters-optional

    box: debian/bookworm64

    memory: 384

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.22

        network_name: private_network

        type: static

      - auto_config: true

        ip: fd00::192:168:56:22

        network_name: private_network

        netmask: 116

        type: static

provisioner:

  name: ansible

  playbooks:

    cleanup: cleanup.yml

  config_options:

    defaults:

      force_valid_group_names: "ignore"

      interpreter_python: "/usr/bin/python3"

    ssh_connection:

      pipelining: "True"

    - name: Install python for Ansible

      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)

      become: true

      changed_when: false

- hosts: all

  become: true

  tasks:

    - name: Update all caches to avoid errors due to missing remote archives

      apt:

        update_cache: true

      changed_when: false

    - name: Install net-tools for running Testinfra host.socket tests

      apt:

        name: net-tools

        state: present

- hosts: helper

  become: true

  tasks:

    - name: Install apt-cacher-ng

      apt:

        name: apt-cacher-ng

        state: present

- hosts: client

  become: true

  tasks:

    - name: Install tool for testing TCP connectivity

      apt:

        name: nmap

        state: present

    - name: Set-up /etc/hosts with entries for all servers

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        192.168.56.21: parameters-mandatory-bookworm

        192.168.56.22: parameters-optional-bookworm

        fd00::192:168:56:21: parameters-mandatory-bookworm

        fd00::192:168:56:22: parameters-optional-bookworm

- hosts: parameters-mandatory,parameters-optional

  become: true

  tasks:

    - name: Set-up /etc/hosts with entries for all servers

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        192.168.56.3: client1

        192.168.56.4: client2

    - name: Load legacy iptables to test their removal

      modprobe:

        name: "{{ item }}"

        state: present

      with_items:

        - iptable_filter

        - iptable_nat

        - iptable_mangle

        - iptable_security

        - iptable_raw

        - ip6table_filter

        - ip6table_nat

        - ip6table_mangle

        - ip6table_security

        - ip6table_raw

    - name: Create some custom legacy iptables chains for testing their removal (max chain name length is 29)

      command: "iptables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"

      with_items:

        - filter

        - nat

        - mangle

        - security

        - raw

    - name: Create some custom legacy ip6tables chains for testing their removal (max chain name length is 29)

- name: Set home directory mask

  lineinfile:

    dest: "/etc/adduser.conf"

    state: present

    backrefs: true

    regexp: '^\s*#?\s*DIR_MODE='

    line: 'DIR_MODE=0750'

- name: Deploy bash profile configuration for fancier prompts

  template:

    src: "bash_prompt.sh.j2"

    dest: "/etc/profile.d/bash_prompt.sh"

    owner: root

    group: root

    mode: 0644

- name: Deploy profile configuration that allows for user-specific profile.d files

  copy:

    src: "user_profile_d.sh"

    dest: "/etc/profile.d/z99-user_profile_d.sh"

    owner: root

    group: root

    mode: 0644

- name: Replace default and skeleton bashrc

  copy:

    src: "{{ item.key }}"

    dest: "{{ item.value }}"

    owner: root

    group: root

    mode: 0644

  with_dict:

    bashrc: "/etc/bash.bashrc"

    skel_bashrc: "/etc/skel/.bashrc"

- name: Calculate stock checksum for bashrc root account

  stat:

    path: "/root/.bashrc"

  register: root_bashrc_stat

- name: Replace stock bashrc for root account with skeleton one

  copy:

    src: "skel_bashrc"

    dest: "/root/.bashrc"

    owner: root

    group: root

    mode: 0640

  when: |

    root_bashrc_stat.stat.checksum == "1a422a148ad225aa5ba33f8dafd2b7cfcdbd701f"

- name: Install sudo

  apt:

    name: sudo

    state: present

- name: Install ssl-cert package

  apt:

    name: ssl-cert

    state: present

- name: Install common packages

  apt:

    name: "{{ common_packages }}"

    state: "present"

- name: Disable electric-indent-mode for Emacs by default for all users

  copy:

    src: "01disable-electric-indent-mode.el"

    dest: "/etc/emacs/site-start.d/01disable-electric-indent-mode.el"

    owner: root

    group: root

    mode: 0644

  when: "['emacs24', 'emacs24-nox', 'emacs25', 'emacs25-nox', 'emacs', 'emacs-nox'] | intersect(common_packages) | length > 0"

- name: Set-up operating system groups

  group:

    name: "{{ item.name }}"

    gid: "{{ item.gid | default(omit) }}"

    state: present

  with_items: "{{ os_groups }}"

- name: Set-up operating system user groups

  group:

    name: "{{ item.name }}"

    gid: "{{ item.uid | default(omit) }}"

    state: present

  with_items: "{{ os_users }}"

- name: Set-up operating system users

  user:

    name: "{{ item.name }}"

    uid: "{{ item.uid | default(omit) }}"

    group: "{{ item.name }}"

    groups: "{{ ','.join(item.additional_groups | default([])) }}"

    append: true

  become: true

  become_user: "pipreqcheck"

  # Virtual environment perhaps does not exist.

  failed_when: false

  changed_when: false

  register: virtualenv_python_version

- name: Retrieve virtual environment prompt

  command:

    argv:

      - "bash"

      - "-c"

      - "source '/var/lib/pipreqcheck/virtualenv/bin/activate'; printenv PS1"

  become: true

  become_user: "pipreqcheck"

  failed_when: false

  changed_when: false

  register: current_virtualenv_prompt

- name: Remove virtual environment in case of mismatches

  file:

    path: "/var/lib/pipreqcheck/virtualenv"

    state: absent

  when: |

    virtualenv_python_version.rc != 0 or

    virtualenv_python_version.stdout.strip() != python_interpreter_version.stdout.strip() or

    current_virtualenv_prompt.stdout != "(pipreqcheck) "

- name: Create directory for Python virtual environment used for installing/running pip-tools

  file:

    path: "{{ item }}"

    state: directory

    owner: pipreqcheck

    group: pipreqcheck

    mode: 0750

  with_items:

    - "/var/lib/pipreqcheck"

    - "/var/lib/pipreqcheck/virtualenv"

- name: Create Python virtual environment used for installing/running pip-tools

  command: "/usr/bin/virtualenv --python '{{ item.python_path }}' --prompt '{{ item.virtualenv_prompt }}' '{{ item.virtualenv_path }}'"

  args:

    creates: "{{ item.creates }}"

  become: true

  become_user: "pipreqcheck"

  with_items:

    - name: pipreqcheck

      virtualenv_path: "/var/lib/pipreqcheck/virtualenv"

      python_path: "/usr/bin/python3"

      creates: "/var/lib/pipreqcheck/virtualenv/bin/python3"

- name: Create directory for storing pip requirements files

  file:

    path: "{{ item }}"

    state: "directory"

    owner: root

    group: pipreqcheck

    mode: 0750

  with_items:

    - "/etc/pip_check_requirements_upgrades"

- name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself

  file:

    path: "{{ item }}"

    state: "directory"

    owner: root

    group: pipreqcheck

    mode: 0750

  with_items:

    - "/etc/pip_check_requirements_upgrades/pipreqcheck"

- name: Deploy .in file for pip requirements in pip-tools virtual environment

  template:

    src: "pipreqcheck_requirements.in.j2"

    dest: "{{ item.path }}"

    owner: root

    group: pipreqcheck

    mode: 0640

  with_items:

    - path: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"

      requirements: "{{ pip_check_requirements_in }}"

- name: Deploy requirements file for pipreqcheck virtual environment

  template:

    src: "pipreqcheck_requirements.txt.j2"

    dest: "{{ item.file }}"

    owner: root

    group: pipreqcheck

    mode: 0640

  with_items:

    - file: "/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"

      requirements: "{{ pip_check_requirements }}"

- name: Install requirements in the pipreqcheck virtual environment

  pip:

    requirements: "{{ item.requirements }}"