# Preparations (low-level e.g. remote support, DNS prep, HW/OS, basic security)

- name: ...IS BEGINNING ============================================
  meta: noop

- name: SSHD -- required by OpenVPN below -- also run by roles/4-server-options/tasks/main.yml
  include_role:
    name: sshd
  when: sshd_install

- name: OPENVPN
  include_role:
    name: openvpn
  when: openvpn_install

- name: REMOTE.IT
  include_role:
    name: remoteit
  when: remoteit_install

- name: IIAB-ADMIN -- includes roles/iiab-admin/tasks/access.yml
  include_role:
    name: iiab-admin
  #when: iiab_admin_install    # Flag might be created in future?

- name: Copy iiab-summary & iiab-apps-to-be-installed from /opt/iiab/iiab/scripts/ to /usr/bin/
  copy:
    src: "{{ iiab_dir }}/scripts/{{ item }}"
    dest: /usr/bin/
    mode: '0755'
  with_items:
    - iiab-summary
    - iiab-apps-to-be-installed

- name: Install dnsmasq -- configure LATER in 'network', after Stage 9
  include_tasks: roles/network/tasks/dnsmasq.yml
  #when: dnsmasq_install    # Flag might be used in future?

- include_tasks: uuid.yml
- include_tasks: ubermix.yml

- name: install-expand-rootfs.yml, raspberry_pi.yml, NUC6 WiFi firmware, check for WiFi devices
  include_tasks: hardware.yml


# Debian 10 "Buster" is apparently enabling AppArmor in 2019:
# https://wiki.debian.org/AppArmor/Progress
# https://wiki.debian.org/AppArmor/HowToUse
# https://packages.debian.org/buster/apparmor
# Curiously this has NOT stopped IIAB 7.0/master from working on Debian 10
# pre-releases, during @floydianslips' March 2019 testing anyway!  SEE #1387

# PR #2654 - AppArmor works w/ IIAB on Debian 10/11, so also now on Ubuntu?
#- name: Disable AppArmor -- override OS default (ubuntu)
#  systemd:
#    name: apparmor
#    enabled: False
#    state: stopped
#  when: is_ubuntu
#  ignore_errors: True

# PR #2648 - Can be restored in future if truly nec, w ansible.posix collection
#- name: Disable SELinux on next boot (OS's other than debuntu)
#  selinux:
#    state: disabled
#  register: selinux_disabled
#  when: not is_debuntu

#- name: Disable SELinux for this session (OS's other than debuntu, if needed)
#  command: setenforce Permissive
#  when: not is_debuntu and selinux_disabled is defined and selinux_disabled.changed


- name: Install {{ iiab_env_file }} from template -- FYI this file can be run as a script if absolutely nec -- e.g. 'source /etc/iiab/iiab.env && echo $WWWROOT'
  template:
    src: roles/1-prep/templates/iiab.env.j2
    dest: "{{ iiab_env_file }}"

- name: Recording STAGE 1 HAS COMPLETED ============================
  meta: noop