- hosts: localhost
  become: true
  vars:
    shell_service_status_helper: |
      echo "----systemd----"
      systemctl --user list-units 'pod-*' -q
      echo ""
      systemctl --user list-units 'container-*' -q
      echo ""
      echo "----podman----"
      podman pod list --sort status --format={{ '"{{.Status}} {{.Name}}"' }}
      echo ""
      podman container list --all --sort status --format={{ '"{{.State}} {{.Status}} {{.Names}}"' }}
      echo ""

  tasks:
    - name: Create containers user
      ansible.builtin.user:
        name: "containers"

    - name: Add bashrc for container service status on login
      ansible.builtin.blockinfile:
        path: "/home/containers/.bashrc"
        owner: "containers"
        group: "containers"
        create: true
        block: "{{ shell_service_status_helper }}"

    - name: Check if fish shell is installed
      ansible.builtin.stat:
        path: "/usr/bin/fish"
      register: fish

    - name: Add fish config for container service status on login
      ansible.builtin.blockinfile:
         path: "/home/containers/.config/fish/conf.d/containers.fish"
         owner: "containers"
         group: "containers"
         create: true
         block: "{{ shell_service_status_helper }}"
      when: fish.stat.exists

    - name: Install systemd-container and podman
      ansible.builtin.package:
        name:
          - "systemd-container"
          - "podman"
        state: present

    - name: Confirm systemd-linger is set for containers user
      ansible.builtin.stat:
        path: "/var/lib/systemd/linger/containers"
      register: linger

    - name: Set systemd-linger for containers user (if necessary)
      ansible.builtin.shell: "loginctl enable-linger containers"
      when: not linger.stat.exists

    - name: Unprivileged port block
      block:
        - name: Confirm port 80 and above is allowed for unprivileged use
          ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"

      rescue:
        - name: Set sysctl parameter net.ipv4.ip_unprivileged_port_start=80
          ansible.builtin.lineinfile:
            path: "/etc/sysctl.conf"
            regexp: "^net.ipv4.ip_unprivileged_port_start=80"
            line: "net.ipv4.ip_unprivileged_port_start=80"

        - name: Reload sysctl
          ansible.builtin.shell: "sysctl -p /etc/sysctl.conf"

        - name: Confirm port 80 and above is allowed for unprivileged use
          ansible.builtin.shell: "sysctl net.ipv4.ip_unprivileged_port_start |grep 80"
      tags:
        - never
        - unprivileged-ports

    - name: cPanel DNS-only block
      block:
        - name: Confirm if cpsrvd is not listening on http ports
          ansible.builtin.shell: "whmapi1 get_tweaksetting key='disable_cphttpd' |grep 'value: 1' || /bin/true"
          register: cpsrv_listen

        - name: Turn off cpsrvd listening on http ports (if necessary)
          ansible.builtin.shell: "whmapi1 set_tweaksetting key='disable_cphttpd' value='1' ; /scripts/restartsrv_cpsrvd"
          when: cpsrv_listen.stdout | length == 0

        - name: Turn off firewalld
          ansible.builtin.service:
            name: "firewalld"
            state: stopped
            enabled: false

        - name: Create new tmp directory for podman
          ansible.builtin.file:
            path: "/var/containers/tmp"
            owner: containers
            group: containers
            state: directory

        - name: Configure podman to use new tmp directory
          ansible.builtin.blockinfile:
            path: "/etc/containers/containers.conf"
            create: true
            block: |
              [engine]
              env = ["TMPDIR=/var/containers/tmp"]
      tags:
        - never
        - cpanel-dnsonly