### -*-yaml-*-
###
### Tasks applicable for all hosts.

---

###--------------------------------------------------------------------------
### General permissions.

- name: fix permissions in /root
  tags: [perms, root-perms]
  file: name=/root mode=0750 owner=root group=root

###--------------------------------------------------------------------------
### PKI machinery.

- name: install PKI maintenance scripts
  tags: [pki, pki-scripts]
  copy: src=pki/{{ item }} dest=/etc/cron.daily/
  with_items:
    - update-ca-certs
    - check-x509-certs

- name: install common PKI files
  tags: [pki, pki-keys]
  copy: src=pki/{{ item }} dest=/etc/ca/
  with_items:
    - ca.cert
    - dh-param.pem
    - dh-param-2048.pem
    - openssl.conf

- name: install /etc/pki/CA link
  tags: [pki, pki-link]
  file: path=/etc/pki/CA/cacert.pem state=link src=../../ca/ca.cert

###--------------------------------------------------------------------------
### NTP configuration.

- name: install NTP client configuration files
  tags: [ntp, ntp-client]
  copy: src=ntp-client/ntp.conf dest=/etc/
  when: ('ntp') not in server |default([])
  notify: restart ntpd

###--------------------------------------------------------------------------
### Network databases.

- name: install netdb files
  tags: netdb
  copy: src=netdb/{{ item }} dest=/etc/
  with_items:
    - hosts
    - networks
    - services

###--------------------------------------------------------------------------
### SSH configuration.

- name: install SSH configuration files
  tags: [ssh, ssh-config]
  copy: src=ssh-config/{{ item }} dest=/etc/ssh/
  notify: restart ssh
  with_items:
    - Makefile
    - ssh_config
    - sshd_config.m4
    - moduli

- name: install main keys for root SSH access
  tags: [ssh, ssh-root]
  template: src=ssh-root/authkeys.base dest=/root/.ssh/authkeys.base
  notify: make in /root/.ssh

- name: install keys for root SSH access
  tags: [ssh, ssh-root]
  copy: src=ssh-root/{{ item }} dest=/root/.ssh/
  notify: make in /root/.ssh
  with_items:
    - Makefile
    - config.m4
    - known_hosts.extra

###--------------------------------------------------------------------------
### Backup machinery.

- name: install backup filters
  tags: [backup, backup-filters]
  copy: src=backup/filter.{{ item.label }} dest={{ item.dest }}/.rsync-backup
  with_items:
    - { label: 'home', dest: '/home' }
    - { label: 'var-spool', dest: '/var/spool' }

- name: install required backup scripts on non-Debian hosts
  tags: [backup, backup-scripts]
  copy: src=backup/fshash dest=/usr/local/bin/
  when: os != 'debian'

###--------------------------------------------------------------------------
### Other miscellaneous files.

- name: install sudo configuration
  tags: [sudo]
  copy: src=sudo/sudoers dest=/etc/

- name: install common scripts
  tags: [scripts]
  copy: src=scripts/{{ item }} dest=/usr/local/bin/
  with_items:
    - fetch-unpack-archive
    - genx509

- name: install root Git configuration
  tags: [root-files]
  copy: src=root/gitconfig dest=/root/.gitconfig

###----- That's all, folks --------------------------------------------------