---
- name: Install EPEL
  ansible.builtin.dnf:
    name:
      - oracle-epel-release-el9
    state: present
- name: Install Dependencies
  ansible.builtin.dnf:
    name:
      - make
      - libblkid-devel
      - gcc
      - git
      - dropbear
    state: present
- name: Clone dracut-crypt-ssh
  ansible.builtin.git:
    repo: https://github.com/dracut-crypt-ssh/dracut-crypt-ssh.git
    dest: /opt/src/dracut-crypt-ssh
    version: master
  notify: Build dracut-crypt-ssh

- name: Flush handlers
  ansible.builtin.meta: flush_handlers

- name: Create small dracut module
  ansible.builtin.file:
    path: /usr/lib/dracut/modules.d/99cryptsetup
    state: directory
    mode: 0755
    owner: root
    group: root
    seuser: system_u
    serole: object_r
    setype: bin_t
    selevel: s0

- name: Ensure cryptsetup is installed in dracut
  ansible.builtin.copy:
    dest: /usr/lib/dracut/modules.d/99cryptsetup/module-setup.sh
    content: |
      #!/bin/bash
      check() {
        require_binaries cryptsetup || return 1
        return 0
      }
      depends() {
        return 0
      }
      install() {
        inst cryptsetup
        dracut_need_initqueue
      }

    mode: 0755
    owner: root
    group: root
    seuser: system_u
    serole: object_r
    setype: bin_t
    selevel: s0
  notify: Regenerate initramfs

- name: Configure dracut-crypt-ssh
  ansible.builtin.copy:
    dest: /etc/dracut.conf.d/crypt-ssh.conf
    content: |
      dropbear_port="{{ unlock_port }}"
      # System keys are in an OpenSSH-specific format (not PEM).
      # So let's stick with default GENERATE or conver all key with
      # ssh-keygen -m PEM -p -f <key file>
      # dropbear_rsa_key="SYSTEM"
      # dropbear_ecdsa_key="SYSTEM"
      # dropbear_ed25519_key="SYSTEM"
      dropbear_acl="/etc/dracut.conf.d/authorized_keys"
    mode: 0644
    owner: root
    group: root
    seuser: unconfined_u
    serole: object_r
    setype: etc_t
    selevel: s0
  notify: Regenerate initramfs

- name: Configure dracut authorized_keys
  ansible.builtin.copy:
    dest: /etc/dracut.conf.d/authorized_keys
    content: |
      {% for ssh_key in ssh_keys %}
      {{ ssh_key }}
      {% endfor %}
    mode: 0600
    owner: root
    group: root
    seuser: unconfined_u
    serole: object_r
    setype: etc_t
    selevel: s0
  notify: Regenerate initramfs

- name: Get GRUB defaults
  ansible.builtin.slurp:
    src: /etc/default/grub
  register: tmp_grub

- name: Configure GRUB
  ansible.builtin.copy:
    dest: /etc/default/grub
    content: "{{
      tmp_grub['content'] | b64decode |
      regex_replace('rd\\.neednet=\\S+\\s', '') |
      regex_replace('ip=\\S+\\s', '') |
      replace('quiet', 'rd.neednet=1 ip=dhcp quiet')
      }}"
    mode: 0644
  notify: Regenerate GRUB