- block:
    - name: try to connect
      wait_for_connection:
        timeout: 10

    - set_fact:
        ssh_ok: yes

  rescue:
    - name: save old ansible ssh args
      set_fact:
        old_ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | d('') }}"

    - name: disable key checking and enable password login
      set_fact:
        ssh_ok: no
        host_key_checking: no
        ansible_password: "{{ container_password | d(host_password) }}"
        ansible_ssh_extra_args: "{{ ansible_ssh_extra_args | d('') }} -o StrictHostKeyChecking=no"

    - name: try to connect without key checking
      wait_for_connection:
        timeout: 10


- name: gather facts
  setup:
    gather_subset:
      - min
      - distribution


- name: generate host ssh key
  include_tasks: gen_ssh_key.yml
  when: (use_ssh_keys | d(true) == true) and ('containers' not in group_names)


- block:
    - name: remove default dropbear keys
      file:
        path: "{{ (dropbear_dir, item) | path_join }}"
        state: absent
      loop:
        - dropbear_dss_host_key
        - dropbear_rsa_host_key
        - dropbear_ecdsa_host_key
      notify: restart dropbear


    - name: generate ed25519 dropbear key if missing
      command:
        cmd: "dropbearkey -t ed25519 -f {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }}"
        creates: "{{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join }}"
      notify: restart dropbear


    - name: get remote host public key
      command:
        cmd: "dropbearkey -y -f {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }}"
      register: pubkey
      changed_when: no


    - name: get actual public key
      set_fact:
        host_ssh_pubkey: "{{ pubkey.stdout_lines | map('regex_search', '^ssh-ed25519.*$') | select('string') | first }}"


    - name: fail if public key is missing
      fail:
        msg: "remote host ssh public key is missing"
      when: host_ssh_pubkey | length == 0


    - name: add public key to known_hosts on ansible controller
      known_hosts:
        key: "{{ ansible_host }} {{ host_ssh_pubkey }}"
        name: "{{ ansible_host }}"
      delegate_to: localhost


    - name: edit dropbear conf file
      lineinfile:
        path: /etc/conf.d/dropbear
        regexp: '^DROPBEAR_OPTS=.*$'
        line: "DROPBEAR_OPTS=\"-r {{ (dropbear_dir, 'dropbear_ed25519_host_key') | path_join | quote }} -jk -T 5 -K 360 -I 7200\""
      notify: restart dropbear


    - name: copy dropbear init file
      copy:
        src: dropbear_init
        dest: /etc/init.d/dropbear
        force: yes
      notify: restart dropbear


    - name: ensure remote host has ansible key in authorized_keys file
      lineinfile:
        path: /root/.ssh/authorized_keys
        line: "{{ container_key.public_key }}"
        create: yes
        mode: 0400
      when: container_key is defined and container_key.public_key is defined

  when: ansible_distribution == 'Alpine'


- name: flush handlers
  meta: flush_handlers


- name: if key checking was disabled
  block:
  - name: set it back on
    set_fact:
      host_key_checking: yes
      ansible_ssh_extra_args: "{{ old_ansible_ssh_extra_args }}"
      ansible_password: "{{ None }}"

  - name: try to connect
    wait_for_connection:
      timeout: 10

  - set_fact:
      ssh_ok: true

  when: not ssh_ok


- name: add etc directory to backup plan
  include_role:
    name: backup
  vars:
    function: add
    backup_items:
      - /etc


- name: alpine setup
  include_tasks: alpine.yml
  when: ansible_distribution == 'Alpine'


- name: debian setup
  include_tasks: debian.yml
  when: ansible_distribution == 'Debian'