#vim: set ft=ansible:
---
# tasks file for bastion

######################### Setting up environment for post deployment administration
- name: create /root/.ssh
  file:
    dest: /root/.ssh
    mode: 0700
    state: directory
  when: not hostvars.localhost.skip_packer_tasks | d(false)
  tags: packer

- name: copy the environment .pem key
  become: true
  copy:
    src: "{{ ANSIBLE_REPO_PATH }}/workdir/{{ env_authorized_key }}"
    dest: /root/.ssh/{{env_authorized_key}}.pem
    owner: root
    group: root
    mode: 0400
  when: use_own_key|bool

- name: copy the user's SSH private key
  become: true
  copy:
    src: "~/.ssh/{{key_name}}.pem"
    dest: "/root/.ssh/{{key_name}}.pem"
    owner: root
    group: root
    mode: 0400
  when: not use_own_key|bool
  tags:
    - copy_env_private_key

- name: Generate host .ssh/config Template
  become: no
  local_action: template src={{ role_path }}/files/bastion_ssh_config.j2 dest={{ ANSIBLE_REPO_PATH }}/workdir/ssh-config-{{ env_type }}-{{ guid }}
  tags:
    - gen_sshconfig_file

- name: copy over host .ssh/config Template
  become: true
  copy:
    src: "{{ ANSIBLE_REPO_PATH }}/workdir/ssh-config-{{ env_type }}-{{ guid }}"
    dest: /root/.ssh/config
    owner: root
    group: root
    mode: 0400
  tags:
    - copy_sshconfig_file

- name: Install python-requests
  ignore_errors: yes
  become: true
  yum:
    name:
    - python-requests
  when: not hostvars.localhost.skip_packer_tasks | d(false)
  tags: packer

# - name: Ensure that iptables service is installed
#   yum:
#     name: iptables-services
#     state: latest

# - name: Ensure that iptables service is enabled and started
#   service:
#     name: iptables
#     enabled: yes
#     state: started

- name: Install mosh
  become: true
  yum:
    name: http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/m/mosh-1.3.0-1.el7.x86_64.rpm
  ignore_errors: yes
  when: not hostvars.localhost.skip_packer_tasks | d(false)
  tags: packer

- name: Open UDP Ports 60001 - 61000 for Mosh
  iptables:
    action: insert
    protocol: udp
    destination_port: "60001:61000"
    state: present
    chain: INPUT
    jump: ACCEPT

- name: Stat /etc/sysconfig/iptables
  stat:
    path: /etc/sysconfig/iptables
  register: statiptables

- when: statiptables.stat.exists
  block:
    - name: Ensure SSH rule is present
      command: >
        grep "^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT"
        /etc/sysconfig/iptables
      changed_when: false
      failed_when: false
      register: ensuresshpresent

    - name: Open iptables Mosh firewall ports for future sessions
      lineinfile:
        insertbefore: "-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT"
        state: present
        path: /etc/sysconfig/iptables
        line: "-A INPUT -p udp -m multiport --dports 60001:61000 -j ACCEPT"
      when: ensuresshpresent.rc == 0