main.yml

---
- name: Mark oh-my-fish installed with /etc/omf.installed
  tags:
    - fish
  ansible.builtin.file:
    path: /etc/omf.installed
    mode: "0644"
    state: touch
  become: true

- name: Restart fail2ban
  tags:
    - security
    - fail2ban
  ansible.builtin.service:
    name: fail2ban
    state: restarted
    enabled: true
  become: true
  listen: start fail2ban

- name: Copy file update-grub
  tags:
    - grub
  ansible.builtin.copy:
    src: update-grub
    dest: /usr/sbin
    owner: root
    group: root
    mode: "0755"
  become: true
  listen: update grub

- name: Run update grub
  tags:
    - grub
  ansible.builtin.command: update-grub
  become: true
  listen: update grub
  register: grub_output
  changed_when: grub_output.rc != 2

- name: Restart ssh
  tags:
    - security
    - ssh
  ansible.builtin.service:
    name: sshd
    state: restarted
  become: true
  listen: restart ssh

- name: Restart auditd
  tags:
    - security
    - apparmor
  ansible.builtin.service:
    name: auditd
    state: restarted
    enabled: true
  become: true

- name: Restart apparmor
  tags:
    - security
    - apparmor
  ansible.builtin.service:
    name: apparmor
    state: restarted
    enabled: true
  become: true
  listen: start apparmor

# Tailscale handlers

- name: Restart tailscale service
  tags:
    - tailscale
  ansible.builtin.service:
    name: tailscale
    state: restarted
    enabled: true
  become: true

- name: Fetch Tailscale status
  listen: Confirm Tailscale is Connected
  ansible.builtin.command: tailscale status --json
  changed_when: false
  register: tailscale_status

- name: Parse status JSON
  listen: Confirm Tailscale is Connected
  vars:
    status: "{{ tailscale_status.stdout | from_json }}"
  ansible.builtin.set_fact:
    tailscale_is_online: "{{ status.Self.Online }}"

- name: Tailscale online status
  listen: Confirm Tailscale is Connected
  ansible.builtin.debug:
    msg: "Online: {{ tailscale_is_online }}"
  when: verbose

- name: Assert Tailscale is Connected
  listen: Confirm Tailscale is Connected
  ansible.builtin.assert:
    that:
      - tailscale_is_online