---
- name: Disable Firewalld
  ansible.builtin.systemd:
    name: firewalld.service
    masked: true
    enabled: false
    force: true
    state: stopped
  tags: services

- name: Set SELinux to permissive
  ansible.posix.selinux:
    policy: targeted
    state: disabled
  tags: services

- name: Ensure packages are upgraded
  ansible.builtin.dnf:
    name: "*"
    state: latest
  tags: packages

- name: remove curl
  ansible.builtin.dnf:
    name: "curl"
    state: absent
  tags: packages

- name: add curl-minimal
  ansible.builtin.dnf:
    name: "curl-minimal"
    state: latest
  tags: packages

- name: Generate SSH key
  block:
    - name: Create ssh key for root
      ansible.builtin.user:
        name: root
        generate_ssh_key: true
        ssh_key_bits: 4096
        ssh_key_file: .ssh/id_rsa
      register: sshkey_register
      tags: sshkey

    - name: fetch_keys
      tags: sshkey
      fetch:
        src: "~/.ssh/id_rsa.pub"
        dest: "files/buffer/infra-id_rsa.pub"
        flat: true
      when: sshkey_register.ssh_public_key != ""
      register: sshkey_fetch

  when: tag.find("infra") != -1 and name == "infra1"
  tags:
    - infra
    - sshkey

- name: Disable SSH Agent Forwarding
  lineinfile:
    dest: /etc/ssh/sshd_config
    regexp: '^.*AllowAgentForwarding'
    line: 'AllowAgentForwarding no'
  tags: services
  notify:
    - restart_sshd

- name: Setup network
  include_tasks: tasks/setup-network.yml
  when: aio_install is undefined or not aio_install  # don't run when AIO
  args:
    apply:
      tags: interfaces
  tags:
    - interfaces

- name: Setup Infra Nodes
  block:
    - name: Install packages
      ansible.builtin.dnf:
        name:
          - git-core
          - wget
          - chrony
          - openssh-server
          - sudo
        state: latest
      tags: packages
    - name: Clone repository
      ansible.builtin.git:
        repo: https://review.opendev.org/openstack/openstack-ansible
        dest: /opt/openstack-ansible
        version: stable/zed
        # version: 'b958c02eeed355484be12db736ed81a047f7d7c0'
        # refspec: 'refs/changes/81/852181/2'

      tags: repos

    - name: Create ssh key for root
      ansible.builtin.user:
        name: root
        generate_ssh_key: true
        ssh_key_bits: 4096
        ssh_key_file: .ssh/id_rsa
      register: sshkey_register
      tags: sshkey

    - name: fetch_keys
      tags: sshkey
      fetch:
        src: "~/.ssh/id_rsa.pub"
        dest: "files/buffer/infra-id_rsa.pub"
        flat: true
      when: sshkey_register.ssh_public_key != ""
      register: sshkey_fetch
  when: tag.find("infra") != -1 or aio_install | default(false)
  tags: infra

- name: Install packages on non-infra hosts
  when: tag.find("infra") != -1 or aio_install | default(false)
  ansible.builtin.dnf:
    name:
      - iputils
      - lsof
      - openssh-server
      - sudo
      - tcpdump
      - python3
    state: latest

- name: Copy key to others
  ansible.posix.authorized_key:
    user: root
    state: present
    key: "{{ lookup('file', 'files/buffer/infra-id_rsa.pub') }}"
  when: tag.find("infra") == -1 and sshkey_fetch | default(false)
  tags: sshkey

- name: Disable cloud init from future runs
  file:
    path: /etc/cloud/cloud-init.disabled
    state: touch
    mode: '0644'
    owner: root
    group: root
...