---
# Notice that "# noqa: package-latest" is included in this file. This disabled a specific check for the Ansible linter,
# see: https://ansible.readthedocs.io/projects/lint/usage/#muting-warnings-to-avoid-false-positives.
# For a purely reproducible build this would be a good suggestion but I'm willing to take the risk with the Pi.
- name: Install raspberry pi
  hosts: raspberry_pis
  roles:
    # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
    # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
    # - role: devsec.hardening.os_hardening
    #   become: true
    # - role: devsec.hardening.ssh_hardening
    #   become: true
    - role: zsh
  vars:
    # devsec.hardening.os_hardening vars:
    os_auth_pw_max_age: 99999 # Effectively disables the setting as mentioned in the docs.
    os_cron_enabled: false # Cron isn't needed for the installation.
    sysctl_overwrite:
      vm.mmap_rnd_bits: 16 # See the "sysctl - vm.mmap_rnd_bits" section of the docs.
    # devsec.hardening.ssh_hardening vars:
    ssh_allow_users: 'thomas'
    ssh_client_port: 22 # Default, but duplicated here for documentation purpose. Not changed because its only accessible via LAN.
    ssh_client_password_login: false # Default, but duplicated here for documentation purpose.
  tasks:
    # TODO: Replace this with setup that sets up unnattended updates on the machine itself.
    - name: Update all packages to their latest version # noqa: package-latest
      become: true
      ansible.builtin.apt:
        name: "*"
        state: latest