---
- name: PVE base configuration
  hosts: proxmox
  tasks:
    - name: admin convenience packages
      tags: dep
      apt:
        state: latest
        pkg:
          - byobu
          - mosh
          - vim
          - ncdu
          - htop
#          - git

    - name: scripting dependencies
      tags: dep
      apt:
        state: latest
        pkg:
          - jq
          - yq
          - curl
          - guestfs-tools
          - restic

    # adding non-free-firmware component currently left manual, as it is hard to do reliably across upgrades + format will change with next major upg + not planning to add new nodes atm

    #TODO: Whatever you do, Ansible wants to collect _all_ facts all the time.
#    - name: Collect processor facts
#      ansible.builtin.setup:
#        gather_subset: "!all,!min,processor"
#    - name: Show Gathered Facts
#      debug:
#        msg: "{{ ansible_facts }}"
#
#
#    - name: CPU microcode (Intel)
#      tags: dep
#      when: "'GenuineIntel' in ansible_processor"
#      apt:
#        state: latest
#        pkg: intel-microcode
#
#    - name: CPU microcode (AMD)
#      tags: dep
#      when: "'AuthenticAMD' in ansible_processor"
#      apt:
#        state: latest
#        pkg: amd64-microcode

    - name: enable hardware watchdog
      tags: dep
      ansible.builtin.lineinfile:
        path: /etc/default/pve-ha-manager
        regexp: 'WATCHDOG_MODULE=ipmi_watchdog$'
        line: 'WATCHDOG_MODULE=ipmi_watchdog'

    - name: rpool dedup
      ansible.builtin.shell: "zfs get dedup rpool -H | awk '{ print $3 }'"
      changed_when: false
      register: dedup
    - name: rpool dedup=on
      when: "dedup.stdout != 'on'"
      ansible.builtin.shell: zfs set dedup=on rpool

    # https://forum.proxmox.com/threads/problem-activating-memory-hotplug.66790/ https://lists.proxmox.com/pipermail/pve-devel/2016-December/024519.html can reproduce in 2020, 2022, 2025
    - name: increase max_mem_regions
      ansible.builtin.copy:
        content: |
          options vhost max_mem_regions=512
        dest: /etc/modprobe.d/vhost.conf

    - name: sysctl.conf UNKNOWN CONFIG DRIFT #TODO: was in /etc/sysctl.conf on all, including new nodes (not present in upstream deb packages), including it just in case. This needs docs on what it is used for / needed by.
      ansible.builtin.copy:
        content: |
          net.ipv4.ip_forward=1
          net.ipv6.conf.all.forwarding=1
        dest: /etc/sysctl.d/99-k-space.conf

- name: PVE admin tooling
  hosts: proxmox
  tasks:
    - name: README
      ansible.builtin.copy:
        content: |
          https://git.k-space.ee/k-space/ansible/src/branch/main/proxmox
          ^ source for admin_scritps
          https://wiki.k-space.ee/en/hosting/proxmox
        dest: /root/README
    - name: admin_scripts directory
      ansible.builtin.copy:
        src: admin_scripts/
        dest: /root/admin_scripts/
        mode: preserve
    - name: source admin_scripts/bashrc
      ansible.builtin.lineinfile:
        path: /root/.bashrc
        line: 'source /root/admin_scripts/bashrc'

    - name: load secrets
      ansible.builtin.include_vars:
        file: ../secrets/pve-telegram.yaml
    - name: install telegram.env
      ansible.builtin.template:
        src: templates/telegram.env.j2
        dest: /root/telegram.env
    - name: install broadcast_reboot.service
      ansible.builtin.copy:
        src: templates/broadcast_reboot.service
        dest: /etc/systemd/system/broadcast_reboot.service
    - name: enable broadcast_reboot.service
      ansible.builtin.systemd_service:
        name: broadcast_reboot.service
        enabled: true