---
# Notice that "# noqa: package-latest" is included in this file. This disabled a specific check for the Ansible linter,
# see: https://ansible.readthedocs.io/projects/lint/usage/#muting-warnings-to-avoid-false-positives.
# For a purely reproducible build this would be a good suggestion but I'm willing to take the risk with the Pi.
- name: Install raspberry pi
  hosts: raspberry_pis
  vars_files:
    - vault.yml
  roles:
    # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
    # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
    - role: devsec.hardening.ssh_hardening
      become: true
    - role: geerlingguy.docker
      become: true
    - role: hostname
    - role: packages
    - role: user
    - role: cloudflare-ddns
    - role: cloudflared
    - role: nginx
    - role: pi-hole
    - role: actual
    - role: postgres
    # - role: wedding
    # - role: changedetection
    # - role: monitoring
  vars:
    # devsec.hardening.ssh_hardening vars:
    ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
    ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
    # geerlingguy.docker vars:
    docker_edition: 'ce'
    docker_install_compose_plugin: true
  tasks:
    # This task can be handy for debugging gathered facts, uncomment it if necessary:
    # - name: Store gathered facts in local file
    #   delegate_to: localhost
    #   ansible.builtin.copy:
    #     dest: './.ansible_facts.json'
    #     content: "{{ ansible_facts }}"
    #     mode: "0600"