---
- name: Hostname setzen
  hostname:
    name: "{{ inventory_hostname }}"

- name: /etc/hosts aktualisieren
  lineinfile:
    path: /etc/hosts
    regexp: '^127\.0\.1\.1'
    line: "127.0.1.1  {{ inventory_hostname }}.local {{ inventory_hostname }}"

- name: SSH Public Key für Benutzer {{ base_user }} hinterlegen
  ansible.posix.authorized_key:
    user: "{{ base_user }}"
    state: present
    key: "{{ vault_ssh_pubkey }}"

- name: SSH Private Key für Benutzer {{ base_user }} deployen
  copy:
    content: "{{ vault_ssh_privkey }}\n"
    dest: "/home/{{ base_user }}/.ssh/id_ed25519"
    owner: "{{ base_user }}"
    group: "{{ base_user }}"
    mode: "0600"

- name: SSH Public Key Datei für Benutzer {{ base_user }} deployen
  copy:
    content: "{{ vault_ssh_pubkey }}\n"
    dest: "/home/{{ base_user }}/.ssh/id_ed25519.pub"
    owner: "{{ base_user }}"
    group: "{{ base_user }}"
    mode: "0644"

- name: SSH Key auch für root hinterlegen
  ansible.posix.authorized_key:
    user: root
    state: present
    key: "{{ vault_ssh_pubkey }}"

- name: SSH Private Key für root deployen
  copy:
    content: "{{ vault_ssh_privkey }}\n"
    dest: /root/.ssh/id_ed25519
    owner: root
    group: root
    mode: "0600"

- name: Standard Debian Trixie Repositories setzen
  copy:
    dest: /etc/apt/sources.list
    content: |
      deb http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib
      deb-src http://ftp.gwdg.de/debian/ trixie main non-free-firmware non-free contrib

      deb http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib
      deb-src http://security.debian.org/debian-security trixie-security main non-free-firmware non-free contrib

      deb http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib
      deb-src http://ftp.gwdg.de/debian/ trixie-updates main non-free-firmware non-free contrib
    owner: root
    group: root
    mode: '0644'
  register: repo_status

- name: Apt Cache aktualisieren (falls Repos geändert wurden)
  apt:
    update_cache: yes
  when: repo_status.changed

- name: Installiere benötigte Basis-Pakete
  apt:
    name:
      - curl
      - gnupg
      - ca-certificates
      - sudo
      - wget
      - vim
      - mc
    state: present
    update_cache: yes

- name: Locales-Paket sicherstellen
  apt:
    name: locales
    state: present

- name: en_US.UTF-8 Locale generieren
  locale_gen:
    name: en_US.UTF-8
    state: present

- name: Systemweite Sprache auf en_US.UTF-8 setzen
  debconf:
    name: locales
    question: locales/default_environment_locale
    value: en_US.UTF-8
    vtype: select

- name: Locale-Datei manuell schreiben (Sicherheitsnetz)
  copy:
    dest: /etc/default/locale
    content: |
      LANG=en_US.UTF-8
      LC_ALL=en_US.UTF-8

- name: Gruppe sudo passwortloses sudo erlauben
  lineinfile:
    path: /etc/sudoers
    state: present
    regexp: '^%sudo'
    line: '%sudo   ALL=(ALL:ALL) NOPASSWD: ALL'
    validate: '/usr/sbin/visudo -cf %s'

- name: Benutzer {{ base_user }} zu sudo Gruppe hinzufügen
  user:
    name: "{{ base_user }}"
    groups: sudo
    append: yes

- name: Unnötige Pakete entfernen
  apt:
    autoremove: yes

- name: QEMU Guest Agent installieren
  apt:
    name: qemu-guest-agent
    state: present

- name: QEMU Guest Agent aktivieren
  service:
    name: qemu-guest-agent
    state: started
    enabled: yes