---
- name: Reconfigure Kubernetes nodes
  hosts: kubernetes
  vars:
    KUBERNETES_VERSION: v1.27.16
  tasks:
    - name: Remove APT packages
      ansible.builtin.apt:
        name: "{{ item }}"
        state: absent
      loop:
        - kubelet
        - kubeadm
        - kubectl

    - name: Download kubectl
      ansible.builtin.get_url:
        url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/kubectl"
        dest: /usr/bin/kubectl
        mode: '0755'

    - name: Download kubeadm
      ansible.builtin.get_url:
        url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/kubeadm"
        dest: /usr/bin/kubeadm
        mode: '0755'

    - name: Download kubelet
      ansible.builtin.get_url:
        url: "https://cdn.dl.k8s.io/release/{{ KUBERNETES_VERSION }}/bin/linux/{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}/kubelet"
        dest: /usr/bin/kubelet
        mode: '0755'

    - name: Create /etc/systemd/system/kubelet.service
      ansible.builtin.copy:
        content: |
          [Unit]
          Description=kubelet: The Kubernetes Node Agent
          Documentation=https://kubernetes.io/docs/home/
          Wants=network-online.target
          After=network-online.target
          [Service]
          ExecStart=/usr/local/bin/kubelet
          Restart=always
          StartLimitInterval=0
          RestartSec=10
          [Install]
          WantedBy=multi-user.target
        dest: /etc/systemd/system/kubelet.service

    - name: Reconfigure shutdownGracePeriod
      ansible.builtin.lineinfile:
        path: /var/lib/kubelet/config.yaml
        regexp: '^shutdownGracePeriod:'
        line: 'shutdownGracePeriod: 5m'

    - name: Reconfigure shutdownGracePeriodCriticalPods
      ansible.builtin.lineinfile:
        path: /var/lib/kubelet/config.yaml
        regexp: '^shutdownGracePeriodCriticalPods:'
        line: 'shutdownGracePeriodCriticalPods: 5m'

    - name: Work around unattended-upgrades
      ansible.builtin.lineinfile:
        path: /lib/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf
        regexp: '^InhibitDelayMaxSec='
        line: 'InhibitDelayMaxSec=5m0s'

    - name: Disable unneccesary services
      ignore_errors: true
      loop:
        - gdm3
        - snapd
        - bluetooth
        - multipathd
      service:
        name: "{{item}}"
        state: stopped
        enabled: no

    - name: Reset /etc/containers/registries.conf
      ansible.builtin.copy:
        content: "unqualified-search-registries = [\"docker.io\"]\n"
        dest: /etc/containers/registries.conf
      register: registries

    - name: Restart CRI-O
      service:
        name: cri-o
        state: restarted
      when: registries.changed

    - name: Reset /etc/modules
      ansible.builtin.copy:
        content: |
          overlay
          br_netfilter
        dest: /etc/modules
      register: kernel_modules
    - name: Load kernel modules
      ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe"
      when: kernel_modules.changed

    - name: Reset /etc/sysctl.d/99-k8s.conf
      ansible.builtin.copy:
        content: |
          net.ipv4.conf.all.accept_redirects  = 0
          net.bridge.bridge-nf-call-iptables  = 1
          net.ipv4.ip_forward                 = 1
          net.bridge.bridge-nf-call-ip6tables = 1
          vm.max_map_count                    = 524288
          fs.inotify.max_user_instances       = 1280
          fs.inotify.max_user_watches         = 655360
        dest: /etc/sysctl.d/99-k8s.conf
      register: sysctl

    - name: Reload sysctl config
      ansible.builtin.shell: "sysctl --system"
      when: sysctl.changed