---
- hosts: all
  become: true

  tasks:
    - name: Add proxmox gpg key
      ansible.builtin.get_url:
        url: https://enterprise.proxmox.com/debian/proxmox-release-bookworm.gpg
        dest: /etc/apt/trusted.gpg.d/proxmox-release-bookworm.gpg
        checksum: sha512:7da6fe34168adc6e479327ba517796d4702fa2f8b4f0a9833f5ea6e6b48f6507a6da403a274fe201595edc86a84463d50383d07f64bdde2e3658108db7d6dc87
        mode: '0644'
    - name: Add proxmox repo
      ansible.builtin.apt_repository:
        repo: deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription
        state: present
        filename: pve-install-repo
        update_cache: true
    - name: Ensure that pve-enterprise apt repo is removed
      ansible.builtin.apt_repository:
        repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
        state: absent
        filename: pve-enterprise
    - name: Upgrade apt packages
      ansible.builtin.apt:
        upgrade: full
        update_cache: true
    - name: Install pve-kernel-6.2
      ansible.builtin.apt:
        pkg: pve-kernel-6.2
        state: present
    - name: Check if reboot is required
      ansible.builtin.stat:
        path: /var/run/reboot-required
      register: reboot_required
    - name: Reboot if required
      ansible.builtin.reboot:
      when: reboot_required.stat.exists
    - name: Install proxmox-ve postfix and open-iscsi
      ansible.builtin.apt:
        pkg:
          - proxmox-ve
          - postfix
          - open-iscsi
        state: present
    - name: Ensure the Debian Kernel is removed
      ansible.builtin.apt:
        pkg:
          - linux-image-amd64
          - linux-image-6.1*
        state: absent
## TODO: Find a way to only execute this ONLY when the kernel is installed.
    - name: Update grub
      ansible.builtin.command: update-grub
    - name: Remove os-prober
      ansible.builtin.apt:
        pkg: os-prober
        state: absent
    - name: Ensure that pve-enterprise apt repo is removed
      ansible.builtin.apt_repository:
        repo: deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise
        state: absent
        filename: pve-enterprise
    - name: Upgrade apt packages
      ansible.builtin.apt:
        upgrade: full
        update_cache: true
    - name: Installing Crowdsec pre-reqs
      ansible.builtin.apt:
        pkg:
          - gnupg
        state: present
    - name: Add crowdsec keyring
      ansible.builtin.get_url:
        url: https://packagecloud.io/crowdsec/crowdsec/gpgkey
        dest: /etc/apt/trusted.gpg.d/crowdsec
        checksum: sha512:5036042aff9d2700a39f64c3a6a70164a76162973e10dacb119aec98e9d60bd4a2f6d6ca4bc2c243a0751fd957baa51e0182fa0cd2f5798d7ec8a7893a1e219f
        mode: '0644'
    - name: Dearmor crowdsec gpg key
      ansible.builtin.command:
        cmd: gpg --dearmor /etc/apt/trusted.gpg.d/crowdsec
        creates: /etc/apt/trusted.gpg.d/crowdsec.gpg
    - name: Ensure keyring is removed
      ansible.builtin.file:
        path: /etc/apt/trusted.gpg.d/crowdsec
        state: absent
    - name: Add crowdsec repo
      ansible.builtin.apt_repository:
        repo: deb https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main
        state: present
        filename: crowdsec-install-repo
        update_cache: true
    - name: Add crowdsec source repo
      ansible.builtin.apt_repository:
        repo: deb-src https://packagecloud.io/crowdsec/crowdsec/debian/ bookworm main
        state: present
        filename: crowdsec-src-repo
        update_cache: true
    - name: Install firewalld and crowdsec packages
      ansible.builtin.apt:
        pkg:
          - firewalld
          - crowdsec
          - crowdsec-firewall-bouncer-iptables
        update_cache: true
    - name: Add enp5s0 interface to public firewalld zone
      ansible.posix.firewalld:
        state: "enabled"
        interface: "enp5s0"
        zone: public
        immediate: true
        permanent: true
    - name: Configure open ports with firewalld
      ansible.posix.firewalld:
        state: "{{ item.state }}"
        port: "{{ item.port }}"
        zone: public
        immediate: true
        permanent: true
      with_items:
        - { state: 'enabled', port: '22/tcp' }
        - { state: 'enabled', port: '8006/tcp' }
    - name: Enable firewalld masquerade
      ansible.posix.firewalld:
        state: "enabled"
        masquerade: "true"
        zone: public
        immediate: true
        permanent: true
    - name: Enable masquerade rich rule for 192.168.20.0/24 network
      ansible.posix.firewalld:
        state: "enabled"
        rich_rule: "rule family=ipv4 source address=192.168.20.0/24 masquerade"
        permanent: true
        immediate: true
    - name: Enable ipv4 forwarding
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: 1
        state: present
        reload: true
    - name: Enable ipv6 forwarding
      ansible.posix.sysctl:
        name: net.ipv6.conf.all.forwarding
        value: 1
        state: present
        reload: true
    - name: Add vfio modules to /etc/modules
      ansible.builtin.lineinfile:
        path: /etc/modules
        line: "{{ item }}"
        create: true
      with_items:
        - vfio
        - vfio_iommu_type1
        - vfio_pci
        - vfio_virqfd
    - name: Add intel_iommu=on iommu=pt to debian bookworm kernel start parameters
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX_DEFAULT='
        line: 'GRUB_CMDLINE_LINUX_DEFAULT="consoleblank=0 systemd.show_status=true intel_iommu=on iommu=pt"'
        state: present
        backup: true
    ## TODO: Find a way to only execute this ONLY when the kernel is installed.
    - name: Update grub
      ansible.builtin.command: update-grub