---
- name: Update and upgrade apt packages (full upgrade)
  apt:
    upgrade: full
    update_cache: yes
    cache_valid_time: 3600

- name: Install base packages
  apt:
    name: "{{ base_packages }}"
    state: present
    update_cache: yes

- name: Remove unused packages
  apt:
    autoremove: yes
    autoclean: yes

- name: Disable IPv6 via sysctl
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
  loop:
    - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' }
    - { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' }

- name: Ensure /root/.bashrc exists
  file:
    path: /root/.bashrc
    state: touch
    mode: '0644'

- name: Add custom aliases and environment to ~/.bashrc
  blockinfile:
    path: /root/.bashrc
    marker: "# {mark} ANSIBLE MANAGED BLOCK: CUSTOM ALIASES AND ENV"
    block: |
      # Работа с файлами
      alias rm='rm -i'          # Удалить с подтверждением
      alias cp='cp -i'          # Копировать с подтверждением
      alias mv='mv -i'          # Переместить с подтверждением

      # ls - вывод списка файлов
      alias ls='ls --color=auto'    # Цветной вывод
      alias ll='ls -la'             # Показывать скрытые файлы и представлять вывод в виде списка
      alias l.='ls -d .* --color=auto'  # Показать только скрытые файлы

      # mount - монтирование разделов
      alias mount='mount | column -t'   # Вывод mount читаемым

      # История
      alias h='history'         # История команд bash
      alias c='clear'           # Очистить окно терминала

      # Дата и время
      alias now='date +%T'              # Время сейчас
      alias nowdate='date +%d-%m-%Y'    # Только дата

      # Сеть
      alias ping5='ping -c 5'           # Посылать только пять запросов
      alias ports='netstat -tulanp'     # Открытые порты

      # Работа с пакетами
      alias update='sudo apt update && sudo apt upgrade'  # Обновление одной командой

      # Работа с системой
      alias meminfo='free -m -l -t'                     # Сколько памяти занято
      alias psmem='ps auxf | sort -nr -k 4 | head -10'  # 10 процессов с самой большой нагрузкой на память

      # Переменные окружения
      export DISPLAY="{{ x11_display_host }}:0"
      export HISTTIMEFORMAT='%F %T '
    owner: root
    mode: '0644'

- name: Configure timezone
  timezone:
    name: "{{ timezone }}"

- name: Configure locale
  locale_gen:
    name: "{{ system_locale }}"
    state: present

- name: Set default locale
  lineinfile:
    path: /etc/default/locale
    line: "LANG={{ system_locale }}"
    state: present
    create: yes

- name: Ensure required directories exist
  file:
    path: "{{ item }}"
    state: directory
    mode: '0755'
  loop:
    - /opt/scripts
    - /etc/apt/keyrings

- name: Install Python requests library (if needed)
  apt:
    name: python3-requests
    state: present
  when: ansible_connection != "local"

- name: Ensure SSH directory exists
  file:
    path: /root/.ssh
    state: directory
    mode: '0700'

- name: Add authorized key for root
  authorized_key:
    user: root
    state: present
    key: "{{ item }}"
  loop: "{{ ssh_public_keys | default([]) }}"

- name: Configure SSH security
  lineinfile:
    path: /etc/ssh/sshd_config
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
    state: present
  loop:
    - { regexp: '^PasswordAuthentication', line: 'PasswordAuthentication no' }
    - { regexp: '^PermitRootLogin', line: 'PermitRootLogin prohibit-password' }
    - { regexp: '^PubkeyAuthentication', line: 'PubkeyAuthentication yes' }
  notify: restart ssh

  # ========== Node Exporter Installation ==========
- name: Create node_exporter system user
  ansible.builtin.user:
    name: node_exporter
    system: yes
    shell: /usr/sbin/nologin
    create_home: no

- name: Download and extract node_exporter binary
  ansible.builtin.unarchive:
    src: "https://github.com/prometheus/node_exporter/releases/download/v1.8.2/node_exporter-1.8.2.linux-amd64.tar.gz"
    dest: /tmp
    remote_src: yes
    creates: /usr/local/bin/node_exporter

- name: Install node_exporter binary
  ansible.builtin.copy:
    src: /tmp/node_exporter-1.8.2.linux-amd64/node_exporter
    dest: /usr/local/bin/node_exporter
    owner: root
    group: root
    mode: '0755'
    remote_src: yes

- name: Create textfile collector directory
  ansible.builtin.file:
    path: /var/lib/node_exporter/textfile_collector
    state: directory
    owner: node_exporter
    group: node_exporter
    mode: '0755'

- name: Deploy node_exporter systemd service
  ansible.builtin.copy:
    content: |
      [Unit]
      Description=Node Exporter
      After=network.target

      [Service]
      Type=simple
      User=node_exporter
      ExecStart=/usr/local/bin/node_exporter \
        --collector.systemd \
        --collector.processes \
        --collector.textfile.directory=/var/lib/node_exporter/textfile_collector \
        --web.listen-address=:9100
      Restart=always
      RestartSec=5

      [Install]
      WantedBy=multi-user.target
    dest: /etc/systemd/system/node_exporter.service
    owner: root
    group: root
    mode: '0644'

- name: Reload systemd and start node_exporter
  ansible.builtin.systemd:
    name: node_exporter
    state: started
    enabled: yes
    daemon_reload: yes

- name: Allow port 9100 in ufw (if enabled)
  ansible.builtin.ufw:
    rule: allow
    port: 9100
    proto: tcp
    comment: "Prometheus Node Exporter"
  when: ansible_facts.services["ufw.service"] is defined and ansible_facts.services["ufw.service"]["state"] == "running"