main.yml

---
- name: Do Everything
  hosts: vm
  become: true
  user: imageadmin
  gather_facts: true
  vars:
    ansible_python_interpreter: /usr/bin/python3
  tasks:

    - name: copy pam_environment to make sure the proxy is disabled for icpcadmin(and root)
      copy: src=files/pam_environment dest={{ item }}/.pam_environment
      with_items:
        - /root
        - /home/imageadmin

    - name: copy updated pam sudo config so it reads .pam_environment
      copy: src=files/pam_sudo dest=/etc/pam.d/sudo


    - name: disable fsync for dpkg
      copy: dest=/etc/dpkg/dpkg.cfg.d/02-dpkg-no-sync content="force-unsafe-io"
    - name: disable apt cache
      copy:
        dest: /etc/apt/apt.conf.d/02-fast-apt
        content: |
          # Disable some apt-caching
          Dir::Cache {
            srcpkgcache "";
            pkgcache "";
          }
          # No translations
          Acquire::Language "none";

    - name: be sure apt cache is updated
      apt: update_cache=yes upgrade=dist

    - name: set up efi booting
      apt:
        pkg: [ grub-efi, grub-efi-amd64-signed ]
        state: present
    - name: run grub-install for efi
      command: grub-install --no-nvram --uefi-secure-boot --target=x86_64-efi /dev/sda


    - name: remove snap package
      apt:
        name: snapd
        purge: true
        state: absent
    - name: clean up any leftover snap data
      file:
        state: absent
        path: "{{item}}"
      with_items:
        - /snap
        - /var/snap
        - /var/lib/snapd
        - /var/cache/snapd
        - /run/snapd-snap.socket
        - /run/snapd.socket
        - /etc/apt/apt.conf.d/20snapd.conf
    - name: prevent snapd from being installed later
      copy:
        dest: /etc/apt/preferences.d/snapd-disable
        content: |
          Package: snapd
          Pin: release *
          Pin-Priority: -1

    # remove cloud init, because it's a security issue (a cd/other usb drive could give someone root)
    - name: remove cloud-init
      apt:
        pkg: cloud-init
        state: absent
        purge: yes

    - import_tasks: 'playbooks/gui.yml'

    - import_tasks: 'playbooks/reverseproxy.yml'
    - import_tasks: 'playbooks/compilers.yml'
    - import_tasks: 'playbooks/devel_tools.yml'

    - import_tasks: 'playbooks/icpc.yml'
    - import_tasks: 'playbooks/vmtouch.yml'

    - import_tasks: 'playbooks/firewall.yml'
    - import_tasks: 'playbooks/system.yml'

    # Management related things
    - import_tasks: 'playbooks/ansible-pull.yml'
    - import_tasks: 'playbooks/reversetunnel.yml'
    - import_tasks: 'playbooks/vpn.yml'
    - import_tasks: 'playbooks/monitoring.yml'

    - name: autoremove/autoclean apt
      block:
        - apt: autoremove=yes
        - apt: autoclean=yes
        - shell: apt-get clean

    - name: ensure systemd-timesyncd is running (to make sure ntp is working properly)
      # This will/should fail if ntp is installed
      service: name=systemd-timesyncd state=started

    # Copy some build information to the image
    - shell: 'echo "Built on $(date +"%Y-%m-%d %H:%M:%S")\nRevision: $(git rev-list --full-history --all --abbrev-commit | head -1)\n"'
      become: false
      register: git_revision
      delegate_to: 127.0.0.1
    - name: copy version info
      copy: content="{{git_revision.stdout}}\n" dest=/icpc/version

    # - name: zero out the disk so it's more optimal (this is part of the makeDist script)
    #   shell: |
    #     dd if=/dev/zero of=/empty bs=1M || true
    #     rm -f /empty
    #     sync

  handlers:
    - name: clear user password
      command: passwd -d contestant

    - name: update grub
      command: /usr/sbin/update-grub

    - name: restart squid
      service: name=squid state=restarted

    - name: update-ca-certificates
      command: /usr/sbin/update-ca-certificates

    - name: restart ssh
      service: name=ssh state=restarted

    - name: reload nginx
      ansible.builtin.service:
        name: nginx
        state: reloaded