---
- name: Baseline | PRELIM | Check for supported operating system
  ansible.builtin.assert:
    that:
      - ansible_distribution == "Rocky"
      - ansible_distribution_major_version == "9"

- name: Baseline | PRELIM | Include location specific variables
  ansible.builtin.include_vars:
    file: "{{ baseline_location }}.yml"

- name: Baseline | PATCH | Configure virtual machine for optimal operation as a SolusVM guest
  ansible.builtin.include_tasks:
    file: "solusvm.yml"
  when: baseline_host_type == "solusvm"

- name: Baseline | PATCH | Setup second disk for additional partitions
  ansible.builtin.include_tasks:
    file: disk_partitions.yml
  when: baseline_second_disk_device is defined

- name: Baseline | PATCH | Enable EPEL repository
  block:
    - name: Baseline | PATCH | Install epel-release
      ansible.builtin.dnf:
        name: epel-release
        state: present
    - name: Baseline | PATCH | Restrict packages to be installed from EPEL
      community.general.ini_file:
        path: /etc/yum.repos.d/epel.repo
        section: epel
        option: includepkgs
        value: "{{ baseline_epel_packages_allowed | join(',') }}"
    - name: Baseline | PATCH | Disable EPEL openh264 repository
      community.general.ini_file:
        path: /etc/yum.repos.d/epel-cisco-openh264.repo
        section: epel-cisco-openh264
        option: enabled
        value: 0
  when: (baseline_epel_packages_allowed is defined) and (baseline_epel_packages_allowed | length > 0)

- name: Baseline | PATCH | Remove EPEL repository
  ansible.builtin.dnf:
    name: epel-release
    state: absent
  when: (baseline_epel_packages_allowed is not defined) or (baseline_epel_packages_allowed | length == 0)

- name: Baseline | PATCH | Remove cockpit-ws
  ansible.builtin.dnf:
    name: cockpit-ws
    state: absent

- name: Baseline | PATCH | Flush handlers
  ansible.builtin.meta: flush_handlers

- name: Baseline | PATCH | Run Ansible Lockdown role
  ansible.builtin.include_tasks:
    file: "lockdown.yml"
  when: baseline_lockdown

- name: Baseline | PATCH | Ensure message of the day is configured properly (CIS 1.7.1, 1.7.4)
  ansible.builtin.template:
    src: motd.j2
    dest: /etc/motd
    owner: root
    group: root
    mode: 'u-x,go-wx'

- name: Baseline | PATCH | Remove dhcpv6-client service from firewalld
  ansible.posix.firewalld:
    service: dhcpv6-client
    state: disabled
    immediate: true
    permanent: true
    zone: public

- name: Baseline | PATCH | Remove mdns service from firewalld
  ansible.posix.firewalld:
    service: mdns
    state: disabled
    immediate: true
    permanent: true
    zone: public

- name: Baseline | PATCH | Remove cockpit service from firewalld
  ansible.posix.firewalld:
    service: cockpit
    state: disabled
    immediate: true
    permanent: true
    zone: public

- name: Baseline | PATCH | Configure DNS resolver
  ansible.builtin.include_tasks:
    file: dns_resolver.yml

- name: Baseline | PATCH | Flush handlers
  ansible.builtin.meta: flush_handlers

- name: Baseline | PATCH | Join IPA Domain
  ansible.builtin.include_tasks:
    file: ipaclient.yml
  when: "'ipaservers' not in group_names"