---

- name: Install misc software
  apt:
    name:
    - ca-certificates
    - dnsutils
    - git
    - htop
    - less
    - mtr-tiny
    - net-tools
    - openssl
    - psmisc
    - pydf
    - rsync
    - sudo
    - vim-nox
    - wget
    - zsh
    - fail2ban

- name: Install software on KVM VMs
  apt:
    name:
    - acpid
    - qemu-guest-agent
  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"

- name: Configure misc software
  copy: src={{ item.src }} dest={{ item.dest }}
  diff: no
  with_items:
  - { src: ".zshrc", dest: "/root/.zshrc" }
  - { src: ".zshrc.local", dest: "/root/.zshrc.local" }
  - { src: "motd", dest: "/etc/motd" }
  - { src: "vimrc.local", dest: "/etc/vim/vimrc.local" }

- name: Set shell for root user
  user: name=root shell=/bin/zsh

- name: Disable hibernation/resume
  copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
  notify: update-initramfs

- name: Enable serial console on KVM VMs
  lineinfile:
    path: "/etc/default/grub"
    state: "present"
    regexp: "^#?GRUB_CMDLINE_LINUX=.*"
    line: "GRUB_CMDLINE_LINUX=\"console=ttyS0,115200 console=tty0\""
  notify: update-grub
  when: ansible_virtualization_role == "guest" and ansible_virtualization_type == "kvm"

- name: Prevent normal users from running su
  lineinfile:
    path: /etc/pam.d/su
    regexp: "^.*auth\\s+required\\s+pam_wheel.so$"
    line: "auth       required   pam_wheel.so"

- name: Configure journald retention
  lineinfile:
    path: "/etc/systemd/journald.conf"
    state: "present"
    regexp: "^#?MaxRetentionSec=.*"
    line: "MaxRetentionSec=7day"
  notify: Restart journald

- name: Set logrotate.conf to daily
  replace:
    path: "/etc/logrotate.conf"
    regexp: "(?:weekly|monthly)"
    replace: "daily"

- name: Set logrotate.conf rotation to 7
  replace:
    path: "/etc/logrotate.conf"
    regexp: "rotate [0-9]+"
    replace: "rotate 7"