---
- name: Preseed wireshark to allow users sniffing packets
  ansible.builtin.debconf:
    name: wireshark-common
    question: wireshark-common/install-setuid
    value: 'true'
    vtype: boolean

- name: Preseed ttf-mscorefonts-installer
  ansible.builtin.debconf:
    name: ttf-mscorefonts-installer
    question: msttcorefonts/dlurl
    value: http://livebox.pn.steinbeis.schule/mscorefonts/
    vtype: string

- name: Install desktop EDU packages and some more
  apt:
    name:
      - task-kde-desktop
      - task-german-kde-desktop
      - task-german-desktop
      - xdg-desktop-portal-kde
      - xdg-desktop-portal-wlr # share screen in browser
      - kde-full
      - akonadi-backend-sqlite
      - thunderbird-l10n-de
      - webext-privacy-badger
      - webext-ublock-origin-firefox
      - webext-ublock-origin-chromium
      - atftp
      - emacs
      - elpa-magit
      - elpa-color-theme-modern
      - vlc
      - gimp
      - inkscape
      - flameshot
      - bluefish
      - git
      - gitk
      - gitg
      - wireshark
      - nmap
      - netcat-openbsd
      - net-tools
      - ghex
      - thonny
      - spyder
      - mu-editor
      - dia
      - vym
      - tree
      - sqlite3
      - sqlitebrowser
      - neovim
      - qtcreator
      - freecad
      - librecad
      - arduino
      - kicad
      - keepassxc
      - tmux
      - curl
      - pulseview
      - sigrok
      - sigrok-cli
      - codeblocks
      - ttf-mscorefonts-installer
    autoremove: true
    state: latest
  environment:
    http_proxy: '' # this is needed to avoid ttf-mscorefonts-installer picking up aptcacher

- name: Add {{ ansible_distribution_release }}-backports
  apt_repository:
    repo: deb http://deb.debian.org/debian/ {{ ansible_distribution_release }}-backports main contrib non-free
    state: present
    update_cache: true
  when: ansible_distribution_release == 'bullseye'

- name: Install extra packages from backports
  apt:
    name:
      - libreoffice
      - libreoffice-l10n-de
    state: latest # noqa package-latest
    autoremove: true
    default_release: "{{ ansible_distribution_release }}-backports"
  when: ansible_distribution_release == 'bullseye'


- name: Enable splash screen
  replace:
    dest: "/etc/default/grub"
    regexp: '"quiet"$'
    replace: '"quiet splash"'
  notify: Run update-grub


- name: Create akonadi config dir
  ansible.builtin.file:
    path: /etc/xdg/akonadi/
    state: directory
    mode: '0755'

- name: Use sqlite in akonadi
  blockinfile:
    path: /etc/xdg/akonadi/akonadiserverrc
    create: true
    block: |
      [%General]
      Driver=QSQLITE3


- name: Allow users to dump packets for wireshark without group membership
  ansible.builtin.file:
    path: /usr/bin/dumpcap
    mode: '0755'


- name: Add home dirs to apparmor
  lineinfile:
    dest: /etc/apparmor.d/tunables/home.d/ubuntu
    line: >-
      @{HOMEDIRS}+=/srv/samba/schools/default-school/teachers/
      /srv/samba/schools/default-school/students/*/


- name: Create firefox policies directory
  ansible.builtin.file:
    path: /etc/firefox-esr/policies
    state: directory
    mode: '0755'

- name: Create a symbolic link firefox to firefox-esr
  ansible.builtin.file:
    src: /etc/firefox-esr
    dest: /etc/firefox
    state: link

- name: copy policy
  ansible.builtin.copy:
    src: policies.json
    dest: /etc/firefox-esr/policies/


- name: tune SDDM login
  blockinfile:
    path: /etc/sddm.conf
    create: true
    block: |
      [Users]
      MaximumUid=999
      RememberLastUser=false
      RememberLastSession=false


- name: Create directory to avoid suspend
  ansible.builtin.file:
    path: /etc/systemd/sleep.conf.d/
    state: directory
    mode: '0755'

- name: Avoid suspending
  blockinfile:
    path: /etc/systemd/sleep.conf.d/nosuspend.conf
    create: true
    block: |
      [Sleep]
      AllowSuspend=no
      AllowHibernation=no
      AllowSuspendThenHibernate=no
      AllowHybridSleep=no


- name: Copy pwroff script
  copy:
    src: pwroff
    dest: /usr/local/sbin/
    mode: 0755

- name: Provide service and timer for pwroff script
  copy:
    src: "{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
    mode: 0644
  with_items:
    - pwroff.service
    - pwroff.timer
  notify: enable pwroff.timer


################# general settings ##################
- name: Protect grub menu entries
  blockinfile:
    path: /etc/grub.d/40_custom
    block: |
      set superusers='root'
      password_pbkdf2 root {{ grub_pwd }}
  notify: Run update-grub

- name: Allow booting default entry
  lineinfile:
    dest: /etc/grub.d/10_linux
    line: CLASS="${CLASS} --unrestricted"
    insertafter: '^CLASS=.*'
    firstmatch: true
  notify: Run update-grub

- name: grub timeout
  lineinfile:
    dest: /etc/default/grub
    regexp: '^(GRUB_TIMEOUT=).*'
    line: '\g<1>3'
    backrefs: yes
  notify: Run update-grub

- name: keyboard compose key
  lineinfile:
    dest: /etc/default/keyboard
    regexp: '^(XKBOPTIONS=).*'
    line: '\1"compose:caps"'
    backrefs: yes