---
- name: Prepare
  hosts: "*"
  pre_tasks:
    - name: configure additional package repositories for Debian
      when: ansible_os_family == "Debian"
      block:
      - name: install GPG
        ansible.builtin.apt:
          name: "gnupg"
          state: latest
          update_cache: true
        become: true
      - name: add custom repo for SLUB's custom Debian repo
        ansible.builtin.deb822_repository:
          architectures: "amd64"
          components: "main"
          enabled: true
          name: "slub"
          pdiffs: true
          signed_by: "https://sdvdebianrepo.slub-dresden.de/deb-repository/pub.gpg.key"
          suites: "{{ ansible_lsb.codename }}"
          uris: "https://sdvdebianrepo.slub-dresden.de/deb-repository"
        notify: update package cache
        become: true

    - name: configure additional package repositories for RedHat
      when: ansible_os_family == "RedHat"
      block:
      - name: add custom repositories
        ansible.builtin.yum_repository:
          name: "{{ item.name }}"
          description: "{{ item.description }}"
          baseurl: "{{ item.baseurl }}"
          gpgcheck: "{{ item.gpgcheck | default('true') }}"
          gpgkey: "{{ item.gpgkey | default(omit) }}"
        loop:
          - name: "epel"
            description: EPEL YUM repo
            baseurl: "https://download.fedoraproject.org/pub/epel/{{ ansible_distribution_major_version }}/x86_64/"
            gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}"
          - name: "slub"
            description: SLUB YUM repo
            baseurl: "https://sdvrhelrepo.slub-dresden.de/"
            gpgcheck: "false"
        notify: update package cache
        become: true
      - name: remove legacy repo configuration to avoid double configuration for SLUB repo
        ansible.builtin.file:
          path: "/etc/yum.repos.d/SLUB.repo"
          state: absent
        become: true
        notify: update package cache

    # This Ansible role installs a multitude of firewall rules, some of which
    # will lock us out of our Molecule test VM if we don't take precautions.
    # As Molecule itself uses SSH just like Ansible, we need to open port
    # tcp/22 to the private /24 subnet that Vagrant uses when provisioning the
    # VM. As we don't know for sure what the address for this subnet is and it
    # can change across servers/platforms, we gather this information
    # dynamically and filter it through `ipaddr` to get the address of the
    # whole subnet. The rule is inserted right on top of the list to make sure
    # we always get access.
    - name: add firewall rule to allow access from Molecule host into testing VM
      ansible.builtin.iptables:
        action: insert
        rule_num: 1
        chain: INPUT
        comment: "molecule access"
        jump: "ACCEPT"
        protocol: tcp
        source: "{{ ansible_default_ipv4.address | ansible.utils.ipaddr('network') }}/24"
        destination_port: "22"
      become: true

  handlers:
    - name: update package cache
      ansible.builtin.package:
        update_cache: true
      become: true