---
- name: Prepare
  hosts: "*"
  pre_tasks:
    - name: configure additional package repositories for Debian
      when: ansible_os_family == "Debian"
      block:
        - name: install GPG
          ansible.builtin.apt:
            name: "gnupg"
            state: latest
            update_cache: true
          become: true
        - name: add GPG key for SLUB Debian repository
          ansible.builtin.apt_key:
            url: "{{ item }}"
            state: absent
          loop:
            - "http://bdv141.slub-dresden.de/deb-repository/pub.gpg.key"
            - "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
        - name: add repo URL to sources.list
          ansible.builtin.apt_repository:
            repo: "{{ item }}"
            state: absent
          loop:
            - "deb http://bdv141.slub-dresden.de/deb-repository lza-testing main"
            - "deb https://sdvdebianrepo.slub-dresden.de/deb-repository bullseye main"
        - name: modify package repo config
          ansible.builtin.deb822_repository:
            architectures: "amd64"
            components: "{{ item.components | default('main') }}"
            enabled: "{{ item.enabled | default(true) }}"
            name: "{{ item.name }}"
            pdiffs: true
            signed_by: "{{ item.signed_by }}"
            suites: "{{ item.suites | default(ansible_lsb.codename) }}"
            uris: "{{ item.uris }}"
          loop:
            # PC @steidl with local Debian repo for SubAp tests
            # - name: "bdv141"
            #   signed_by: "http://bdv141.slub-dresden.de/deb-repository/pub.gpg.key"
            #   suites: "lza-testing"
            #   uris: "http://bdv141.slub-dresden.de/deb-repository"
            # on-prem Debian Repo
            - name: "slub"
              signed_by: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
              uris: "https://sdvdebianrepo.slub-dresden.de/deb-repository"
            # add non-free repos to be able to install libmath-random-perl from official Debian public repo
            - name: "debian"
              components: ["main", "non-free"]
              signed_by: "/usr/share/keyrings/debian-archive-keyring.gpg"
              suites: ["{{ ansible_lsb.codename }}", "{{ ansible_lsb.codename }}-updates"]
              uris: "http://deb.debian.org/debian"
          notify: update package cache
          become: true

    - name: configure additional package repositories for RedHat
      when: ansible_os_family == "RedHat"
      block:
        - name: add custom repositories
          ansible.builtin.yum_repository:
            name: "{{ item.name }}"
            description: "{{ item.description }}"
            baseurl: "{{ item.baseurl }}"
            gpgcheck: "{{ item.gpgcheck | default('true') }}"
            gpgkey: "{{ item.gpgkey | default(omit) }}"
          loop:
            - name: "epel"
              description: EPEL YUM repo
              baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
              gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
            - name: "slub"
              description: SLUB YUM repo
              baseurl: "https://sdvrhelrepo.slub-dresden.de/"
              gpgcheck: "false"
          notify: update package cache
        - name: remove legacy repo configuration to avoid double configuration for SLUB repo
          ansible.builtin.file:
            path: "/etc/yum.repos.d/SLUB.repo"
            state: absent
          notify: update package cache

    # Ansible roles can install a multitude of firewall rules, some of which
    # will lock us out of our Molecule test VM if we don't take precautions.
    # As Molecule itself uses SSH just like Ansible, we need to open port
    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
    # VM. As we don't know for sure what the address for this subnet is and it
    # can change across servers/platforms, we gather this information
    # dynamically and filter it through `ipaddr` to get the address of the
    # whole subnet. The rule is inserted right on top of the list to make sure
    # we always get access.
    - name: add firewall rule to allow access from Molecule host into testing VM
      ansible.builtin.iptables:
        action: insert
        rule_num: 1
        chain: INPUT
        comment: "molecule access"
        jump: "ACCEPT"
        protocol: tcp
        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
        destination_port: "22"
      become: true

  handlers:
    - name: update package cache
      ansible.builtin.package:
        update_cache: true
      become: true