---
- name: Step 004 Environment specific Software
  hosts: localhost
  gather_facts: False
  become: false
  tasks:
    - debug:
        msg: "Software tasks Started"


- name: Deploy Roles if infra_workloads defined
  hosts:
    - nodes
  gather_facts: false
  run_once: false
  become: yes
  tags:
    - infra_workloads
  tasks:
  - name: apply infra workloads roles on nodes
    when:
    - infra_workloads|d("")|length > 0
    block:
      - name: Apply role "{{ workload_loop_var }}" on nodes
        include_role:
          name: "{{ workload_loop_var }}"
        vars:
          ACTION: "provision"
        loop: "{{ infra_workloads.split(',')|list }}"
        loop_control:
          loop_var: workload_loop_var

- name: Configure bastion for SELinux workshop
  hosts: all
  gather_facts: false
  become: true
  vars:
    avc: |
      '----
      time->Mon Nov 17 01:45:36 2008
      type=AVC msg=audit(1226882736.442:86): avc:  denied  { getattr } for  pid=2427 comm="httpd" path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
      type=SYSCALL msg=audit(1226882736.442:86): arch=40000003 syscall=196 success=no exit=-13 a0=b9a1e198 a1=bfc2921c a2=54dff4 a3=2008171 items=0 ppid=2425 pid=2427 auid=502 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)'

  tasks:
  - name: Install all needed packages
    package:
      state: present
      name:
        - selinux-policy-devel
        - ansible
        - policycoreutils
        - policycoreutils-python-utils
        - audit
        - git
        - setools-console
        - selinux-policy-doc
        - policycoreutils-newrole
        - setroubleshoot-server
        - make
        - gcc-c++
        - rpm-build
        - libcurl-devel
        - cockpit
        - cockpit-dashboard
        - cockpit-shell
        - cockpit-system
        - cockpit-ws
        - subscription-manager-cockpit
        - cockpit-composer
        - cockpit-session-recording
        - cockpit-machines
        - cockpit-packagekit
        - cockpit-podman
        - cockpit-storaged

  - name: Ensure cockpit is started
    systemd:
      name: "cockpit.socket"
      state: "started"
      enabled: true
      daemon_reload: true

  - name: Enable SELinux
    selinux:
      policy: targeted
      state: enforcing

  - name: Create testaudit file
    copy:
      mode: '0644'
      owner: root
      dest: /root/testaudit
      content: "{{ avc  }}"

  - name: Copy testaudit also to user dir
    copy:
      src: /root/testaudit
      dest: /home/ec2-user
      owner: ec2-user
      group: ec2-user
      mode: '0644'
      force: true
      remote_src: yes

  - name: Create .vimrc in user home dir
    copy:
      content: ""
      dest: /home/ec2-user/.vimrc
      owner: ec2-user
      group: ec2-user
      mode: '0644'
      force: no

- name: Software flight-check
  hosts: localhost
  connection: local
  gather_facts: false
  become: false
  tags:
    - post_flight_check
  tasks:
    - debug:
        msg: "Software checks completed successfully"