base_role/tasks/base.yml

# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-

---

- name: "DEBUG: base base.yml ansible_distribution ansible_virtualization_role"
  debug:
    verbosity: 1
    msg: "DEBUG: Including base base.yml {{ansible_distribution }} {{ ansible_virtualization_role|replace('NA', 'host') }}"

- block:

  # now unused?
  - name: "set PATH env_env"
    set_fact:
      # all of these should now get replaced by env_env
      env_env:
#        PATH: "{{ PATH }}"
        PYTHONPATH: ""
        TERM: linux
      shell_env:
# FixMe: CLARIFY - is this ONLY controller path when -c local?
#was        PATH: "{{ ansible_env.PATH  +':' +VAR_LOCAL +'/bin'|replace('.:', '')}}"
 #       PATH: "{{ PATH }}"
        PYTHONPATH: ""
        TERM: linux

  - name: "set PATH shell_env local"
    set_fact:
      shell_env:
        # FixMe: CLARIFY - is this ONLY controller path when -c local?
        PATH: "{{ ansible_env.PATH  +':' +VAR_LOCAL +'/bin'|replace('.:', '')}}"
        PYTHONPATH: ""
        TERM: linux
      when:
        - ansible_connection in ['local']

  - name: "set PATH shell_env not local"
    set_fact:
      shell_env:
#        PATH: "{{ PATH }}"
        PYTHONPATH: ""
        TERM: linux
      when:
        - ansible_connection not in ['local']

  # FixMe: CLARIFY - is this ONLY controller path when -c local?
  - name: lynis objects to . on the PATH and I cant find whos adding it
    shell: |
      # clean path checks for /var/local/bin
      export PYTHONPATH=
      [ -f {{USR_LOCAL}}/bin/base_clean_path.bash ] && \
        bash {{USR_LOCAL}}/bin/base_clean_path.bash || echo $PATH
    register: env_PATH

  - name: base /usr/local/src/usr_local_src.bash
    copy:
      src: "{{USR_LOCAL}}/src/usr_local_src.bash"
      dest: "{{USR_LOCAL}}/src/usr_local_src.bash"
      mode: '0755'
    when:
      - ansible_virtualization_role|replace('NA', 'host') != 'host'

- block:

    - name: /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}}
      shell: |
        [ -e {{USR_LOCAL}}/bin/base_check_site_py.bash ] || exit 0
        export PYTHONPATH=''
        {{USR_LOCAL}}/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}} || exit 3$?
      when:
        - "BASE_PYTHON3_MINOR != ''"
  
    - name: base /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}}
      shell: |
        [ -e {{USR_LOCAL}}/bin/base_check_site_py.bash ] || exit 0
        export PYTHONPATH=''
        {{USR_LOCAL}}/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}} || exit 2$?
      when:
        - "BASE_PYTHON2_MINOR != ''"

  # wierd error - fails under ansible but not at the command line
  rescue:
    - debug:
        msg: "ERROR: RESCUE WTF {{USR_LOCAL}}/bin/base_check_site_py.bash"
  check_mode: false
  tags:
    - always

- block:

  - name: get ipv6.disable=1  cmdline
    shell: |
      grep ipv6.disable=1 /proc/cmdline
    register : base_ipv6_disable_line
    failed_when: false
    check_mode: false

  - set_fact:
      BASE_IPV6_DISABLE: 0
    when: base_ipv6_disable_line is failed

  - set_fact:
      BASE_IPV6_DISABLE: 1
    when: base_ipv6_disable_line is success

  when: "BOX_IPV6_DISABLE != ''"

- name: /etc/nsswitch.conf
  lineinfile:
    dest: /etc/nsswitch.conf
    regexp: "^{{item.name}}:.*"
    line: "{{item.name}}:	{{item.val}}"
    state: present
  with_items:
      - { name: passwd, val: "compat files" }
      - { name: group, val: "compat files" }

# oddball from Emacs doing a DNS lookup of hostname - force it to localhost
- name: "/etc/hosts"
  shell: |
    umask 022
    [ ! -f /etc/hosts ] && echo "127.0.0.1 localhost {{BOX_HOST_NAME}}" >> /etc/hosts && exit 0
    grep -q "^127.0.0.1.* {{BOX_HOST_NAME}}" /etc/hosts && exit 0
    sed -e 's/\(127.0.0.1.* localhost\)/\1 {{BOX_HOST_NAME}}/' -i /etc/hosts
    exit 0
  when: BOX_HOST_NAME|default('') != ''

- name: dunno where
  shell: |
    [ -d /tmp/.ansible/tmp ] || mkdir -p /tmp/.ansible/tmp
    chmod 1777 /tmp/.ansible/tmp

- block:

  - debug:
      msg: "WARN: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived"
    when:
      - BOX_USER_NAME|default('') == 'root'

  - name: setting BOX_USER_NAME to vagrant
    set_fact:
      # this should be seat on the command line - vagrant
      BOX_USER_NAME: "vagrant"
      # this should be set on the command line - /home/vagrant
      BOX_USER_HOME: "/home/vagrant"
      BOX_USER_GROUP: "vagrant"
      # adm group 4 is the same on on Gentoo and Ubuntu -
      # group 4 on Gentoo and Ubuntu is a conveience to be my group and the NTFS group
      BOX_ALSO_GROUP: "adm"

  when: BOX_USER_NAME|default('') == '' or BOX_USER_NAME|default('') == 'root'

- assert:
    that:
      - BOX_USER_NAME|default('') != 'root'
    fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must  be unprived"

- name: msg BOX_USER_HOME
  debug:
    msg: "BOX_USER_HOME {{ BOX_USER_HOME|default('') }}"

- name: assert BOX_USER_HOME is not null
  assert:
    that:
      - "{{ BOX_USER_HOME|default('') != '' }}"

- block:

  - name: "create adm group - optional"
    group:
      name:  "{{ BOX_ALSO_GROUP }}"
      system: yes
    when: "BOX_ALSO_GROUP != ''"

  - name: "create vagrant group"
    group:
      name: "{{ BOX_USER_GROUP }}"

  # "ensure an non-priv account like vagrant exists"
  # FixMe:     useradd: Can't get unique subordinate UID range
  #    useradd: can't create subordinate user IDs
  - name: "add vagrant user"
    user:
      name:  "{{ BOX_USER_NAME }}"
      group: "{{ BOX_USER_GROUP }}"
      append: true
      groups: ["{{ BOX_ALSO_GROUP }}"]
      home: "{{ BOX_USER_HOME }}"
      create_home: yes
      shell: /bin/bash
    #? usermod: user vagrant is currently used by process 2190
    ignore_errors: true

  - name: "make vagrant HOME directory"
    file:
      path: "{{BOX_USER_HOME}}"
      state: directory
      mode: 0700
      owner: "{{ BOX_USER_NAME }}"
      group: "{{ BOX_USER_GROUP }}"

  when: BOX_USER_NAME|default('') != ''
  check_mode: false

- block:

  - name: get passwd line
    shell: |
      [ -f /etc/passwd ] || exit 0
      grep ^{{BOX_USER_NAME}} /etc/passwd
    register : base_boxuser_passwd_line
    failed_when: false
    check_mode: false

  - block:

    - assert:
        that:
          - base_boxuser_passwd_line is success
        fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} not found in /etc/passwd"

    # ansible will null this if you run user: without a home:
    - assert:
        that:
          - "{{ base_boxuser_passwd_line.stdout.split(':')[5] != '' }}"
        fail_msg: "BOX_USER_HOME is not null in /etc/passwd"

    - name: BOX_USER_HOME
      set_fact:
        BOX_USER_HOME: "{{ base_boxuser_passwd_line['stdout'].split(':')[5] }}"
      when: BOX_USER_HOME|default('') == ''

    - name: msg BOX_USER_HOME
      debug:
        msg: "BOX_USER_HOME {{ BOX_USER_HOME|default('') }}"

    - name: BOX_USER_GROUP
      set_fact:
        BOX_USER_GROUP: "{{ base_boxuser_passwd_line['stdout'].split(':')[3]|int }}"
      when: BOX_USER_GROUP|default('') == ''

    check_mode: false

  when:
   - BOX_USER_NAME|default('') != ''
   - ansible_distribution != 'Msys'

- block:

  - name: "are we connected? - old ip route default"
    # FixMe: maybe change this to nmap - sometimes ICMP is blocked and its blocked by firewall.conf
    #  nmap -Pn -sU -p U:53 208.67.220.220 ' 0 hosts up'
    # ping -n -c 1 -I "$wlan" 8.8.8.8 >/dev/null - wont work in a vbox or behind a firewall
    shell: |
      a=`route | grep -q ^default` || exit 1
      [ - z "$a" ] && exit 2
      wlan=`echo $a | sed -e 's@.* @@'` && \
      ifconfig "$wlan" | grep -q UP && echo $wlan
    register: wlan_up
    failed_when: false
    when: false

  - name: "are we connected? - base_get_if.bash"
    shell: |
      ip route | grep -q ^default || exit 1$?
      wlan=`{{USR_LOCAL}}/bin/base_get_if.bash` || exit 3
      if [ -n "$wlan" ] ; then
          ifconfig "$wlan" | grep -q UP && echo $wlan || true
      else
        a=`route | grep ^default` && \
        [ -n "$a" ] && \
        wlan=`echo $a | sed -e 's@.* @@'` && \
        [ -n "$wlan" ] && \
        ifconfig "$wlan" | grep -q UP &&  \
        echo $wlan
      fi
    register: wlan_up
    failed_when: false
    when: true

  - name: "are we connected? - new wifi"
    shell: |
      ip route | grep -q ^default || exit 1$?
      {{USR_LOCAL}}/bin/proxy_ping_test.bash wifi || exit 2$?
      wlan=`{{USR_LOCAL}}/bin/base_get_if.bash`
      echo $wlan
    register: wlan_up_no
    failed_when: false
    when: false

  - name: debug wlan_up
    debug:
      var: wlan_up

  - name: "we are connected device wlan_up.stdout"
    set_fact:
      BASE_ARE_CONNECTED="{{ wlan_up.stdout }}"
    when:
      - wlan_up is success
#?      - wlan_up.stdout|default("") != ""

  - name: "we are connected device  - unconnected n"
    set_fact:
      BASE_ARE_CONNECTED=""
    when:
      - wlan_up.rc|default(1) != 0 or wlan_up.stdout|default('') == ''

  check_mode: false
  when:
    - BOX_OS_FAMILY != 'Windows'

- block:

  - name: "we are connected device  - WGate106"
    set_fact:
      BASE_ARE_CONNECTED=""
  when:
    - BOX_OS_FLAVOR|default('') == 'WGate106' or BOX_OS_FAMILY == 'Windows'

- debug:
    verbosity: 1
    msg: "DEBUG: BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"

- name: set the default route device if we are connected
  set_fact:
    BASE_OUTPUT_IF: "{{BASE_ARE_CONNECTED}}"
  when:
    - "BASE_ARE_CONNECTED != ''"
    - ansible_distribution != 'Msys'

- name: set the default route device if we are not connected
  set_fact:
    BASE_OUTPUT_IF: "{{BASE_DEFAULT_OUTPUT_IF}}"
  when:
    - "BASE_ARE_CONNECTED == ''"
    - ansible_distribution != 'Msys'

- block:

  - name: "make /usr/local"
    file:
      path: "{{BASE_USR_LOCAL}}/{{item}}"
      state: directory
      mode: 0775
      group: "{{ BOX_ALSO_GROUP }}"
    with_items:
        - bin
        - data
        - etc/testforge
        - etc/ssl
        - "{{LIB}}"
        - lib/ruby
        - lib/sysctl.d
        - net/Http
        - net/Git
        - sbin
        - share/info
        - share/man/man1
        - src
        - var

  check_mode: false

- block:

  # sitecustomize is not getting made on 3.8
  - name: /usr/local/bin/pyver.sh 2
    shell: |
      export BASE_PYTHON2_MINOR={{BASE_PYTHON2_MINOR}}
      export PYVER=2
      {{USR_LOCAL}}/bin/pyver.sh

  # sitecustomize is not getting made on 3.8

  - name: /usr/local/bin/pyver.sh 3
    shell: |
      export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}}
      export PYVER=3
      {{USR_LOCAL}}/bin/pyver.sh

  #  only site - not dist on Ubuntu?
  - name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"
    shell: |
      umask 0002
      [ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0
      touch "{{BASE_USR_LOCAL}}/{{item}}"
      [ "{{ansible_distribution}}" != 'Msys' ] || \
        chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}"
    with_items:
      - "{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"


  - name: "set_fact BASE_PYVENV2_ARGS"
    set_fact:
      BASE_PYVENV2_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python2.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages"

  when:
    - "BASE_PYTHON2_MINOR != ''"


- block:
  - name: "set_fact BASE_PYVENV3_ARGS"
    set_fact:
      BASE_PYVENV3_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python3.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages"

  # sitecustomize is not getting made on 3.8
  - name: /usr/local/bin/pyver.sh
    shell: |
      export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}}
      export PYVER=3
      {{USR_LOCAL}}/bin/pyver.sh

  #  only site - not dist on Ubuntu?
  - name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"
    shell: |
      umask 0002
      [ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0
      touch "{{BASE_USR_LOCAL}}/{{item}}"
      [ "{{ansible_distribution}}" != 'Msys' ] || \
        chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}"

    with_items:
      - "{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages/__init__.py"

  when:
    - "BASE_PYTHON3_MINOR != ''"

- block:

  - name: "make root log directory"
    file:
      path: "{{BASE_ROOT_LOG_DIR}}"
      state: directory
      mode: 0775
      owner: "root"
      group: "{{ BOX_ALSO_GROUP }}"

  - name: "/etc/locale.gen"
    lineinfile:
      dest: "/etc/locale.gen"
      mode:  0755
      owner: root
      group: root
      create: yes
      regexp: "^#* *{{item}}"
      line: "{{item}}"
      insertafter: EOF
    with_items: "{{env_locales}}"
    notify: update locales

  - name: "Let vagrant su without a password /etc/sudoers"
    blockinfile:
      dest: /etc/sudoers
      create: yes
      mode: 0440
      marker: "# {mark} ANSIBLE MANAGED BLOCK base"
      insertafter: "## Same thing without a password"
      block: |
        %{{ base_sudo_group }} ALL=(ALL) NOPASSWD: ALL
    when:
      - "base_sudo_group != ''"
      - "'insecure_sudo' in BASE_FEATURES"
    # validate: /usr/sbin/visudo -cf /etc/sudoers

  - name: "Let vagrant su without a password /etc/group"
    user:
      name:  "{{ BOX_USER_NAME }}"
      group: "{{ BOX_USER_GROUP }}"
      shell: /bin/bash
      groups:
        - "{{ base_sudo_group}}"
      append: true
    when:
      - "base_sudo_group != ''"
      - "'insecure_sudo' in BASE_FEATURES"
    #? msg: module (user) is missing interpreter line
    ignore_errors: true

  - name: "/usr/local/etc/local.d/Whonix-Lati.rc"
    lineinfile:
      dest: "{{USR_LOCAL}}/etc/local.d/Whonix-Lati.rc"
      create: yes
      mode: 0770
      insertafter: BOF
      regexp: "^#.*mode:"
      line: "# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*-"

  - name: "/usr/local/etc/local.d/Whonix-Lati.rc"
    blockinfile:
      dest: "{{USR_LOCAL}}/etc/local.d/Whonix-Lati.rc"
      create: yes
      mode: 0770
      marker: "# {mark} ANSIBLE MANAGED BLOCK base initctl"
      insertafter: EOF
      block: |
        [ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0
        [ ! -e /dev/initctl ] || mknod -m=0600 /dev/initctl p

    when:
      - BOX_SERVICE_MGR != "systemd"

  - name: "make /usr/local/lib linkx"
    shell: |
      dest="{{BASE_USR_LOCAL}}/{{BASE_LIB}}"
      [ {{BASE_LIB}} = 'lib' ] && src="{{BASE_USR_LOCAL}}/lib64" ||  src="{{BASE_USR_LOCAL}}/lib"
      [ -d $src ] || mkdir $src
      [ -d $dest ] || mkdir $dest
      cd $src || exit 1
      [ -e "python{{ BASE_PYTHON2_MINOR }}" ] || ln -s "../{{LIB}}/python{{ BASE_PYTHON2_MINOR }}" .
      [ -e "python{{ BASE_PYTHON3_MINOR }}" ] || ln -s "../{{LIB}}/python{{ BASE_PYTHON3_MINOR }}" .
      # our model is that user and group adm can pip install into {{USR_LOCAL}}
      # failsafe but often required and not covered elsewhere
      chown -R "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" $src/python* $dest/python*
      chmod -R g+rw $src/python* $dest/python*

    ignore_errors: true
    when: false

  - name: "make /dev/loop"
    shell: |
      # CONFIG_BLK_DEV_LOOP
      i=-1
      while [ $i -lt 16 ] ; do
          i=$( expr $i + 1 )
          [ -e /dev/loop$i ] && continue
          mknod /dev/loop$i b 7 $i
          chown root:disk /dev/loop$i
          chmod 660 /dev/loop$i
        done
      exit 0

  - name: "make /usr/local/var 1777 dirs"
    file:
      path: "{{BASE_USR_LOCAL}}/{{item}}"
      state: directory
      mode: 01777
      owner: "{{ BOX_USER_NAME }}"
      group: "{{ BOX_ALSO_GROUP }}"
    with_items:
      - var/cache
      - var/log
      - var/tmp
      - tmp
    check_mode: false


  # FixMe: change this to a user.yml; this should be run as vagrant and per sytem_user
  - name: "/usr/local/src/usr_local_base.sh"
    shell: |
      umask 0002
      {{BASE_USR_LOCAL}}/src/usr_local_base.bash
    args:
      chdir: "{{BASE_USR_LOCAL}}/src"
    become: yes
    become_user: "{{ BOX_USER_NAME }}"
    # FixME:
    ignore_errors: true
    when:
      - not ansible_check_mode

  - name: "base base {{ansible_distribution}}"
    # roles/base/tasks/
    include_tasks: base_{{ansible_distribution}}.yml

  - name: "make mountpoint dirs"
    shell: |
      umask 0022
      for elt in {{BOX_HOST_CONTAINER_MOUNTS|join(' ')}} ; do
          df | grep -q " $elt$" && continue
          [ -d $elt/tmp ] && continue
          [ -d $elt ] && continue
          mkdir $elt
        done
      exit 0
    when: "BOX_HOST_CONTAINER_MOUNTS|default([])|length > 0"

  # this should be run as root? no?
  - name: "/usr/local/src/usr_local_python.bash"
    shell: |
      umask 0002
      {{BASE_USR_LOCAL}}/src/usr_local_python.bash
    args:
      chdir: "{{BASE_USR_LOCAL}}/src"
      creates:
        - "{{BASE_USR_LOCAL}}/bin/python3.sh"
    become: yes
    become_user: "{{ BOX_USER_NAME }}"
    # FixMe
    ignore_errors: true

  # FixMe: pip doesnt buy this
  - name: "make /usr/local/net/Cache/Pip"
    file:
      path: "{{BASE_USR_LOCAL}}/{{item}}"
      state: directory
      # pip doesnt buy this - 01777
      mode: 0775
      owner: "{{ BOX_USER_NAME }}"
      group: "{{ BOX_ALSO_GROUP }}"
    with_items:
        - net/Cache/Pip
    #  could be a symlink
    ignore_errors: true

  - name: "make home dirs"
    file:
      path: "{{ item.dest }}"
      owner: "{{ item.owner }}"
      group: "{{ item.group }}"
      state: directory
      mode: "{{ item.mode }}"
    with_items:
      - {dest: "{{BOX_USER_HOME}}/etc/ssl/keys", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0700" }
      - {dest: "/root/etc/ssl/keys", owner: "root", group: "root", mode: "0700" }
      - {dest: "{{BOX_USER_HOME}}/bin", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0755" }
      - {dest: "{{BASE_SCRIPT_DIR}}", owner: "root", group: "root", mode: "0755" }

  - name: "/etc/wgetrc - needs coordinating with BASE_WGET_ARGS"
    blockinfile:
      dest: /etc/wgetrc
      create: yes
      marker: "# {mark} ANSIBLE MANAGED BLOCK base"
      block: |
        timestamping = on
        tries = 2
        # man wget Using --ca-directory is more efficient than --ca-certificate with many certificates
        #? Should we --ca-certificate={{PLAY_CA_CERT}} instead of default --ca-directory=/etc/ssl/certs/

  # link it as a backup but it may get removed
  # figure out how to extend apt and ansible's cert paths

  # 'Failed to validate the SSL certificate for sourceforge.net443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible.
  - name: "make SSL_CERT_FILE link"
    file:
      src: "{{ SSL_CERT_FILE }}"
      dest: "/etc/ssl/certs/cacert-testserver.pem"
      state: link
      force: no
    when: false

  # https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/GnuPG
  # keys.indymedia.org 	HKP (11371), HTTPS (443), HKPS (443), HTTP (80) 	qtt2yl5jocgrk7nu.onion 2eghzlv2wwcq7u7y.onion 	HTTPS (443), HTTP (80), HKP (11371) HKP (11371), HTTP (80)


  # {{ groups['x']|map('extract', hostvars, 'ec2_ip_address')|list }}

  # A frequently used idiom is walking a group to find all IP addresses in that group:
  #    {% for host in groups['app_servers'] %}
  #       {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }}
  #    {% endfor %}

  # old base
  - name: "/etc/localtime"
    shell: |
      BASE_timezone="{{ BASE_TIMEZONE|default('Etc/UTC') }}"
      [ -f "/usr/share/zoneinfo/$BASE_timezone" ] || exit 0
      [ -e /etc/localtime ] && exit 0
      ln -s /usr/share/zoneinfo/$BASE_timezone /etc/localtime
    ignore_errors: true

  - name: "/etc/BASE_timezone"
    copy:
      content: "{{ BASE_TIMEZONE|default('Etc/UTC') }}\n"
      dest: "/etc/timezone"

  - name: "setup hwclock"
    template:
      src: "hwclock.j2"
      dest: "/etc/{{ETC_CONF_D}}/hwclock"
      owner: "{{BASE_ROOT_USER}}"
      mode: 0644
      force: no
    # unfinished
    when: false
    
  when:
    - ansible_distribution != 'Msys'
first 2024-01-06 01:38:28 +00:00			`# -- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix --`

			`---`

			`- name: "DEBUG: base base.yml ansible_distribution ansible_virtualization_role"`
			`debug:`
			`verbosity: 1`
			`msg: "DEBUG: Including base base.yml {{ansible_distribution }} {{ ansible_virtualization_role\|replace('NA', 'host') }}"`

			`- block:`

			`# now unused?`
			`- name: "set PATH env_env"`
			`set_fact:`
			`# all of these should now get replaced by env_env`
			`env_env:`
			`# PATH: "{{ PATH }}"`
			`PYTHONPATH: ""`
			`TERM: linux`
			`shell_env:`
			`# FixMe: CLARIFY - is this ONLY controller path when -c local?`
			`#was PATH: "{{ ansible_env.PATH +':' +VAR_LOCAL +'/bin'\|replace('.:', '')}}"`
			`# PATH: "{{ PATH }}"`
			`PYTHONPATH: ""`
			`TERM: linux`

			`- name: "set PATH shell_env local"`
			`set_fact:`
			`shell_env:`
			`# FixMe: CLARIFY - is this ONLY controller path when -c local?`
			`PATH: "{{ ansible_env.PATH +':' +VAR_LOCAL +'/bin'\|replace('.:', '')}}"`
			`PYTHONPATH: ""`
			`TERM: linux`
			`when:`
			`- ansible_connection in ['local']`

			`- name: "set PATH shell_env not local"`
			`set_fact:`
			`shell_env:`
			`# PATH: "{{ PATH }}"`
			`PYTHONPATH: ""`
			`TERM: linux`
			`when:`
			`- ansible_connection not in ['local']`

			`# FixMe: CLARIFY - is this ONLY controller path when -c local?`
			`- name: lynis objects to . on the PATH and I cant find whos adding it`
			`shell: \|`
			`# clean path checks for /var/local/bin`
			`export PYTHONPATH=`
			`[ -f {{USR_LOCAL}}/bin/base_clean_path.bash ] && \`
			`bash {{USR_LOCAL}}/bin/base_clean_path.bash \|\| echo $PATH`
			`register: env_PATH`

			`- name: base /usr/local/src/usr_local_src.bash`
			`copy:`
bash 2024-01-09 15:39:19 +00:00			`src: "{{USR_LOCAL}}/src/usr_local_src.bash"`
			`dest: "{{USR_LOCAL}}/src/usr_local_src.bash"`
first 2024-01-06 01:38:28 +00:00			`mode: '0755'`
bash 2024-01-09 15:39:19 +00:00			`when:`
			`- ansible_virtualization_role\|replace('NA', 'host') != 'host'`

first 2024-01-06 01:38:28 +00:00			`- block:`

			`- name: /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}}`
			`shell: \|`
bash 2024-01-09 15:39:19 +00:00			`[ -e {{USR_LOCAL}}/bin/base_check_site_py.bash ] \|\| exit 0`
first 2024-01-06 01:38:28 +00:00			`export PYTHONPATH=''`
bash 2024-01-09 15:39:19 +00:00			`{{USR_LOCAL}}/bin/base_check_site_py.bash {{BASE_PYTHON3_MINOR}} \|\| exit 3$?`
first 2024-01-06 01:38:28 +00:00			`when:`
			`- "BASE_PYTHON3_MINOR != ''"`

			`- name: base /usr/local/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}}`
			`shell: \|`
bash 2024-01-09 15:39:19 +00:00			`[ -e {{USR_LOCAL}}/bin/base_check_site_py.bash ] \|\| exit 0`
first 2024-01-06 01:38:28 +00:00			`export PYTHONPATH=''`
bash 2024-01-09 15:39:19 +00:00			`{{USR_LOCAL}}/bin/base_check_site_py.bash {{BASE_PYTHON2_MINOR}} \|\| exit 2$?`
first 2024-01-06 01:38:28 +00:00			`when:`
			`- "BASE_PYTHON2_MINOR != ''"`

			`# wierd error - fails under ansible but not at the command line`
			`rescue:`
			`- debug:`
bash 2024-01-09 15:39:19 +00:00			`msg: "ERROR: RESCUE WTF {{USR_LOCAL}}/bin/base_check_site_py.bash"`
first 2024-01-06 01:38:28 +00:00			`check_mode: false`
			`tags:`
			`- always`

			`- block:`

			`- name: get ipv6.disable=1 cmdline`
			`shell: \|`
			`grep ipv6.disable=1 /proc/cmdline`
			`register : base_ipv6_disable_line`
			`failed_when: false`
			`check_mode: false`

			`- set_fact:`
			`BASE_IPV6_DISABLE: 0`
			`when: base_ipv6_disable_line is failed`

			`- set_fact:`
			`BASE_IPV6_DISABLE: 1`
			`when: base_ipv6_disable_line is success`

			`when: "BOX_IPV6_DISABLE != ''"`

			`- name: /etc/nsswitch.conf`
			`lineinfile:`
			`dest: /etc/nsswitch.conf`
			`regexp: "^{{item.name}}:.*"`
			`line: "{{item.name}}: {{item.val}}"`
			`state: present`
			`with_items:`
			`- { name: passwd, val: "compat files" }`
			`- { name: group, val: "compat files" }`

			`# oddball from Emacs doing a DNS lookup of hostname - force it to localhost`
			`- name: "/etc/hosts"`
			`shell: \|`
			`umask 022`
			`[ ! -f /etc/hosts ] && echo "127.0.0.1 localhost {{BOX_HOST_NAME}}" >> /etc/hosts && exit 0`
			`grep -q "^127.0.0.1.* {{BOX_HOST_NAME}}" /etc/hosts && exit 0`
			`sed -e 's/\(127.0.0.1.* localhost\)/\1 {{BOX_HOST_NAME}}/' -i /etc/hosts`
			`exit 0`
			`when: BOX_HOST_NAME\|default('') != ''`

			`- name: dunno where`
			`shell: \|`
			`[ -d /tmp/.ansible/tmp ] \|\| mkdir -p /tmp/.ansible/tmp`
			`chmod 1777 /tmp/.ansible/tmp`

			`- block:`

			`- debug:`
			`msg: "WARN: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived"`
			`when:`
			`- BOX_USER_NAME\|default('') == 'root'`

			`- name: setting BOX_USER_NAME to vagrant`
			`set_fact:`
			`# this should be seat on the command line - vagrant`
			`BOX_USER_NAME: "vagrant"`
			`# this should be set on the command line - /home/vagrant`
			`BOX_USER_HOME: "/home/vagrant"`
			`BOX_USER_GROUP: "vagrant"`
			`# adm group 4 is the same on on Gentoo and Ubuntu -`
			`# group 4 on Gentoo and Ubuntu is a conveience to be my group and the NTFS group`
			`BOX_ALSO_GROUP: "adm"`

			`when: BOX_USER_NAME\|default('') == '' or BOX_USER_NAME\|default('') == 'root'`

			`- assert:`
			`that:`
			`- BOX_USER_NAME\|default('') != 'root'`
			`fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} cannot be root - must be unprived"`

			`- name: msg BOX_USER_HOME`
			`debug:`
			`msg: "BOX_USER_HOME {{ BOX_USER_HOME\|default('') }}"`

			`- name: assert BOX_USER_HOME is not null`
			`assert:`
			`that:`
			`- "{{ BOX_USER_HOME\|default('') != '' }}"`

			`- block:`

			`- name: "create adm group - optional"`
			`group:`
			`name: "{{ BOX_ALSO_GROUP }}"`
			`system: yes`
			`when: "BOX_ALSO_GROUP != ''"`

			`- name: "create vagrant group"`
			`group:`
			`name: "{{ BOX_USER_GROUP }}"`

			`# "ensure an non-priv account like vagrant exists"`
			`# FixMe: useradd: Can't get unique subordinate UID range`
			`# useradd: can't create subordinate user IDs`
			`- name: "add vagrant user"`
			`user:`
			`name: "{{ BOX_USER_NAME }}"`
			`group: "{{ BOX_USER_GROUP }}"`
			`append: true`
			`groups: ["{{ BOX_ALSO_GROUP }}"]`
			`home: "{{ BOX_USER_HOME }}"`
			`create_home: yes`
			`shell: /bin/bash`
			`#? usermod: user vagrant is currently used by process 2190`
			`ignore_errors: true`

			`- name: "make vagrant HOME directory"`
			`file:`
			`path: "{{BOX_USER_HOME}}"`
			`state: directory`
			`mode: 0700`
			`owner: "{{ BOX_USER_NAME }}"`
			`group: "{{ BOX_USER_GROUP }}"`

			`when: BOX_USER_NAME\|default('') != ''`
			`check_mode: false`

			`- block:`

			`- name: get passwd line`
			`shell: \|`
			`[ -f /etc/passwd ] \|\| exit 0`
			`grep ^{{BOX_USER_NAME}} /etc/passwd`
			`register : base_boxuser_passwd_line`
			`failed_when: false`
			`check_mode: false`

			`- block:`

			`- assert:`
			`that:`
			`- base_boxuser_passwd_line is success`
			`fail_msg: "ERROR: user BOX_USER_NAME={{ BOX_USER_NAME }} not found in /etc/passwd"`

			`# ansible will null this if you run user: without a home:`
			`- assert:`
			`that:`
			`- "{{ base_boxuser_passwd_line.stdout.split(':')[5] != '' }}"`
			`fail_msg: "BOX_USER_HOME is not null in /etc/passwd"`

			`- name: BOX_USER_HOME`
			`set_fact:`
			`BOX_USER_HOME: "{{ base_boxuser_passwd_line['stdout'].split(':')[5] }}"`
			`when: BOX_USER_HOME\|default('') == ''`

			`- name: msg BOX_USER_HOME`
			`debug:`
			`msg: "BOX_USER_HOME {{ BOX_USER_HOME\|default('') }}"`

			`- name: BOX_USER_GROUP`
			`set_fact:`
			`BOX_USER_GROUP: "{{ base_boxuser_passwd_line['stdout'].split(':')[3]\|int }}"`
			`when: BOX_USER_GROUP\|default('') == ''`

			`check_mode: false`

			`when:`
			`- BOX_USER_NAME\|default('') != ''`
			`- ansible_distribution != 'Msys'`

			`- block:`

			`- name: "are we connected? - old ip route default"`
			`# FixMe: maybe change this to nmap - sometimes ICMP is blocked and its blocked by firewall.conf`
			`# nmap -Pn -sU -p U:53 208.67.220.220 ' 0 hosts up'`
			`# ping -n -c 1 -I "$wlan" 8.8.8.8 >/dev/null - wont work in a vbox or behind a firewall`
			`shell: \|`
			a=`route \| grep -q ^default` \|\| exit 1
			`[ - z "$a" ] && exit 2`
			wlan=`echo $a \| sed -e 's@.* @@'` && \
			`ifconfig "$wlan" \| grep -q UP && echo $wlan`
			`register: wlan_up`
			`failed_when: false`
			`when: false`

			`- name: "are we connected? - base_get_if.bash"`
			`shell: \|`
			`ip route \| grep -q ^default \|\| exit 1$?`
bash 2024-01-09 15:39:19 +00:00			wlan=`{{USR_LOCAL}}/bin/base_get_if.bash` \|\| exit 3
first 2024-01-06 01:38:28 +00:00			`if [ -n "$wlan" ] ; then`
			`ifconfig "$wlan" \| grep -q UP && echo $wlan \|\| true`
			`else`
			a=`route \| grep ^default` && \
			`[ -n "$a" ] && \`
			wlan=`echo $a \| sed -e 's@.* @@'` && \
			`[ -n "$wlan" ] && \`
			`ifconfig "$wlan" \| grep -q UP && \`
			`echo $wlan`
			`fi`
			`register: wlan_up`
			`failed_when: false`
			`when: true`

			`- name: "are we connected? - new wifi"`
			`shell: \|`
			`ip route \| grep -q ^default \|\| exit 1$?`
bash 2024-01-09 15:39:19 +00:00			`{{USR_LOCAL}}/bin/proxy_ping_test.bash wifi \|\| exit 2$?`
			wlan=`{{USR_LOCAL}}/bin/base_get_if.bash`
first 2024-01-06 01:38:28 +00:00			`echo $wlan`
			`register: wlan_up_no`
			`failed_when: false`
			`when: false`

			`- name: debug wlan_up`
			`debug:`
			`var: wlan_up`

			`- name: "we are connected device wlan_up.stdout"`
			`set_fact:`
			`BASE_ARE_CONNECTED="{{ wlan_up.stdout }}"`
			`when:`
			`- wlan_up is success`
			`#? - wlan_up.stdout\|default("") != ""`

			`- name: "we are connected device - unconnected n"`
			`set_fact:`
			`BASE_ARE_CONNECTED=""`
			`when:`
			`- wlan_up.rc\|default(1) != 0 or wlan_up.stdout\|default('') == ''`

			`check_mode: false`
			`when:`
			`- BOX_OS_FAMILY != 'Windows'`

			`- block:`

			`- name: "we are connected device - WGate106"`
			`set_fact:`
			`BASE_ARE_CONNECTED=""`
			`when:`
			`- BOX_OS_FLAVOR\|default('') == 'WGate106' or BOX_OS_FAMILY == 'Windows'`

			`- debug:`
			`verbosity: 1`
			`msg: "DEBUG: BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}"`

			`- name: set the default route device if we are connected`
			`set_fact:`
			`BASE_OUTPUT_IF: "{{BASE_ARE_CONNECTED}}"`
			`when:`
			`- "BASE_ARE_CONNECTED != ''"`
			`- ansible_distribution != 'Msys'`

			`- name: set the default route device if we are not connected`
			`set_fact:`
			`BASE_OUTPUT_IF: "{{BASE_DEFAULT_OUTPUT_IF}}"`
			`when:`
			`- "BASE_ARE_CONNECTED == ''"`
			`- ansible_distribution != 'Msys'`

			`- block:`

			`- name: "make /usr/local"`
			`file:`
			`path: "{{BASE_USR_LOCAL}}/{{item}}"`
			`state: directory`
			`mode: 0775`
			`group: "{{ BOX_ALSO_GROUP }}"`
			`with_items:`
			`- bin`
			`- data`
			`- etc/testforge`
			`- etc/ssl`
			`- "{{LIB}}"`
			`- lib/ruby`
			`- lib/sysctl.d`
			`- net/Http`
			`- net/Git`
			`- sbin`
			`- share/info`
			`- share/man/man1`
			`- src`
			`- var`

			`check_mode: false`

			`- block:`

			`# sitecustomize is not getting made on 3.8`
			`- name: /usr/local/bin/pyver.sh 2`
			`shell: \|`
			`export BASE_PYTHON2_MINOR={{BASE_PYTHON2_MINOR}}`
			`export PYVER=2`
bash 2024-01-09 15:39:19 +00:00			`{{USR_LOCAL}}/bin/pyver.sh`
first 2024-01-06 01:38:28 +00:00
			`# sitecustomize is not getting made on 3.8`

			`- name: /usr/local/bin/pyver.sh 3`
			`shell: \|`
			`export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}}`
			`export PYVER=3`
bash 2024-01-09 15:39:19 +00:00			`{{USR_LOCAL}}/bin/pyver.sh`
first 2024-01-06 01:38:28 +00:00
			`# only site - not dist on Ubuntu?`
			`- name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"`
			`shell: \|`
			`umask 0002`
			`[ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0`
			`touch "{{BASE_USR_LOCAL}}/{{item}}"`
			`[ "{{ansible_distribution}}" != 'Msys' ] \|\| \`
			`chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}"`
			`with_items:`
			`- "{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"`


			`- name: "set_fact BASE_PYVENV2_ARGS"`
			`set_fact:`
			`BASE_PYVENV2_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python2.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON2_MINOR}}/site-packages"`

			`when:`
			`- "BASE_PYTHON2_MINOR != ''"`


			`- block:`
			`- name: "set_fact BASE_PYVENV3_ARGS"`
			`set_fact:`
			`BASE_PYVENV3_ARGS: "{{ BASE_PYVENV_ARGS }} -p {{BASE_USR_LOCAL}}/bin/python3.sh --extra-search-dir={{USR_LOCAL}}/{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages"`

			`# sitecustomize is not getting made on 3.8`
			`- name: /usr/local/bin/pyver.sh`
			`shell: \|`
			`export BASE_PYTHON3_MINOR={{BASE_PYTHON3_MINOR}}`
			`export PYVER=3`
bash 2024-01-09 15:39:19 +00:00			`{{USR_LOCAL}}/bin/pyver.sh`
first 2024-01-06 01:38:28 +00:00
			`# only site - not dist on Ubuntu?`
			`- name: "make lib64/python{{BASE_PYTHON2_MINOR}}/site-packages/__init__.py"`
			`shell: \|`
			`umask 0002`
			`[ -e "{{BASE_USR_LOCAL}}/{{item}}" ] && exit 0`
			`touch "{{BASE_USR_LOCAL}}/{{item}}"`
			`[ "{{ansible_distribution}}" != 'Msys' ] \|\| \`
			`chown "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" "{{BASE_USR_LOCAL}}/{{item}}"`

			`with_items:`
			`- "{{LIB}}/python{{BASE_PYTHON3_MINOR}}/site-packages/__init__.py"`

			`when:`
			`- "BASE_PYTHON3_MINOR != ''"`

			`- block:`

			`- name: "make root log directory"`
			`file:`
			`path: "{{BASE_ROOT_LOG_DIR}}"`
			`state: directory`
			`mode: 0775`
			`owner: "root"`
			`group: "{{ BOX_ALSO_GROUP }}"`

			`- name: "/etc/locale.gen"`
			`lineinfile:`
			`dest: "/etc/locale.gen"`
			`mode: 0755`
			`owner: root`
			`group: root`
			`create: yes`
			`regexp: "^#* *{{item}}"`
			`line: "{{item}}"`
			`insertafter: EOF`
			`with_items: "{{env_locales}}"`
			`notify: update locales`

			`- name: "Let vagrant su without a password /etc/sudoers"`
			`blockinfile:`
			`dest: /etc/sudoers`
			`create: yes`
			`mode: 0440`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK base"`
			`insertafter: "## Same thing without a password"`
			`block: \|`
			`%{{ base_sudo_group }} ALL=(ALL) NOPASSWD: ALL`
			`when:`
			`- "base_sudo_group != ''"`
			`- "'insecure_sudo' in BASE_FEATURES"`
			`# validate: /usr/sbin/visudo -cf /etc/sudoers`

			`- name: "Let vagrant su without a password /etc/group"`
			`user:`
			`name: "{{ BOX_USER_NAME }}"`
			`group: "{{ BOX_USER_GROUP }}"`
			`shell: /bin/bash`
			`groups:`
			`- "{{ base_sudo_group}}"`
			`append: true`
			`when:`
			`- "base_sudo_group != ''"`
			`- "'insecure_sudo' in BASE_FEATURES"`
			`#? msg: module (user) is missing interpreter line`
			`ignore_errors: true`

			`- name: "/usr/local/etc/local.d/Whonix-Lati.rc"`
			`lineinfile:`
bash 2024-01-09 15:39:19 +00:00			`dest: "{{USR_LOCAL}}/etc/local.d/Whonix-Lati.rc"`
first 2024-01-06 01:38:28 +00:00			`create: yes`
			`mode: 0770`
			`insertafter: BOF`
			`regexp: "^#.*mode:"`
			`line: "# --mode: sh; tab-width: 8; coding: utf-8-unix --"`

			`- name: "/usr/local/etc/local.d/Whonix-Lati.rc"`
			`blockinfile:`
bash 2024-01-09 15:39:19 +00:00			`dest: "{{USR_LOCAL}}/etc/local.d/Whonix-Lati.rc"`
first 2024-01-06 01:38:28 +00:00			`create: yes`
			`mode: 0770`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK base initctl"`
			`insertafter: EOF`
			`block: \|`
			`[ ! -e /dev/initctl -a -e /run/initctl ] && ln -s /run/initctl /dev/initctl && exit 0`
			`[ ! -e /dev/initctl ] \|\| mknod -m=0600 /dev/initctl p`

			`when:`
			`- BOX_SERVICE_MGR != "systemd"`

			`- name: "make /usr/local/lib linkx"`
			`shell: \|`
			`dest="{{BASE_USR_LOCAL}}/{{BASE_LIB}}"`
			`[ {{BASE_LIB}} = 'lib' ] && src="{{BASE_USR_LOCAL}}/lib64" \|\| src="{{BASE_USR_LOCAL}}/lib"`
			`[ -d $src ] \|\| mkdir $src`
			`[ -d $dest ] \|\| mkdir $dest`
			`cd $src \|\| exit 1`
			`[ -e "python{{ BASE_PYTHON2_MINOR }}" ] \|\| ln -s "../{{LIB}}/python{{ BASE_PYTHON2_MINOR }}" .`
			`[ -e "python{{ BASE_PYTHON3_MINOR }}" ] \|\| ln -s "../{{LIB}}/python{{ BASE_PYTHON3_MINOR }}" .`
bash 2024-01-09 15:39:19 +00:00			`# our model is that user and group adm can pip install into {{USR_LOCAL}}`
first 2024-01-06 01:38:28 +00:00			`# failsafe but often required and not covered elsewhere`
			`chown -R "{{ BOX_USER_NAME }}"."{{ BOX_ALSO_GROUP }}" $src/python* $dest/python*`
			`chmod -R g+rw $src/python* $dest/python*`

			`ignore_errors: true`
			`when: false`

			`- name: "make /dev/loop"`
			`shell: \|`
			`# CONFIG_BLK_DEV_LOOP`
			`i=-1`
			`while [ $i -lt 16 ] ; do`
			`i=$( expr $i + 1 )`
			`[ -e /dev/loop$i ] && continue`
			`mknod /dev/loop$i b 7 $i`
bash 2024-01-09 15:39:19 +00:00			`chown root:disk /dev/loop$i`
first 2024-01-06 01:38:28 +00:00			`chmod 660 /dev/loop$i`
			`done`
			`exit 0`

			`- name: "make /usr/local/var 1777 dirs"`
			`file:`
			`path: "{{BASE_USR_LOCAL}}/{{item}}"`
			`state: directory`
			`mode: 01777`
			`owner: "{{ BOX_USER_NAME }}"`
			`group: "{{ BOX_ALSO_GROUP }}"`
			`with_items:`
			`- var/cache`
			`- var/log`
			`- var/tmp`
			`- tmp`
			`check_mode: false`


			`# FixMe: change this to a user.yml; this should be run as vagrant and per sytem_user`
			`- name: "/usr/local/src/usr_local_base.sh"`
			`shell: \|`
			`umask 0002`
			`{{BASE_USR_LOCAL}}/src/usr_local_base.bash`
			`args:`
			`chdir: "{{BASE_USR_LOCAL}}/src"`
			`become: yes`
			`become_user: "{{ BOX_USER_NAME }}"`
			`# FixME:`
			`ignore_errors: true`
			`when:`
			`- not ansible_check_mode`

			`- name: "base base {{ansible_distribution}}"`
			`# roles/base/tasks/`
			`include_tasks: base_{{ansible_distribution}}.yml`

			`- name: "make mountpoint dirs"`
			`shell: \|`
			`umask 0022`
			`for elt in {{BOX_HOST_CONTAINER_MOUNTS\|join(' ')}} ; do`
			`df \| grep -q " $elt$" && continue`
			`[ -d $elt/tmp ] && continue`
			`[ -d $elt ] && continue`
			`mkdir $elt`
			`done`
			`exit 0`
			`when: "BOX_HOST_CONTAINER_MOUNTS\|default([])\|length > 0"`

			`# this should be run as root? no?`
			`- name: "/usr/local/src/usr_local_python.bash"`
			`shell: \|`
			`umask 0002`
			`{{BASE_USR_LOCAL}}/src/usr_local_python.bash`
			`args:`
			`chdir: "{{BASE_USR_LOCAL}}/src"`
			`creates:`
			`- "{{BASE_USR_LOCAL}}/bin/python3.sh"`
			`become: yes`
			`become_user: "{{ BOX_USER_NAME }}"`
bash 2024-01-09 15:39:19 +00:00			`# FixMe`
			`ignore_errors: true`
first 2024-01-06 01:38:28 +00:00
			`# FixMe: pip doesnt buy this`
			`- name: "make /usr/local/net/Cache/Pip"`
			`file:`
			`path: "{{BASE_USR_LOCAL}}/{{item}}"`
			`state: directory`
			`# pip doesnt buy this - 01777`
			`mode: 0775`
			`owner: "{{ BOX_USER_NAME }}"`
			`group: "{{ BOX_ALSO_GROUP }}"`
			`with_items:`
			`- net/Cache/Pip`
			`# could be a symlink`
			`ignore_errors: true`

			`- name: "make home dirs"`
			`file:`
			`path: "{{ item.dest }}"`
			`owner: "{{ item.owner }}"`
			`group: "{{ item.group }}"`
			`state: directory`
			`mode: "{{ item.mode }}"`
			`with_items:`
			`- {dest: "{{BOX_USER_HOME}}/etc/ssl/keys", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0700" }`
			`- {dest: "/root/etc/ssl/keys", owner: "root", group: "root", mode: "0700" }`
			`- {dest: "{{BOX_USER_HOME}}/bin", owner: "{{ BOX_USER_NAME }}", group: "{{ BOX_ALSO_GROUP }}", mode: "0755" }`
			`- {dest: "{{BASE_SCRIPT_DIR}}", owner: "root", group: "root", mode: "0755" }`

			`- name: "/etc/wgetrc - needs coordinating with BASE_WGET_ARGS"`
			`blockinfile:`
			`dest: /etc/wgetrc`
			`create: yes`
			`marker: "# {mark} ANSIBLE MANAGED BLOCK base"`
			`block: \|`
			`timestamping = on`
			`tries = 2`
			`# man wget Using --ca-directory is more efficient than --ca-certificate with many certificates`
			`#? Should we --ca-certificate={{PLAY_CA_CERT}} instead of default --ca-directory=/etc/ssl/certs/`

			`# link it as a backup but it may get removed`
			`# figure out how to extend apt and ansible's cert paths`

			`# 'Failed to validate the SSL certificate for sourceforge.net443. Make sure your managed systems have a valid CA certificate installed. You can use validate_certs=False if you do not need to confirm the servers identity but this is unsafe and not recommended. Paths checked for this platform /etc/ssl/certs, /etc/pki/ca-trust/extracted/pem, /etc/pki/tls/certs, /usr/share/ca-certificates/cacert.org, /etc/ansible.`
			`- name: "make SSL_CERT_FILE link"`
			`file:`
			`src: "{{ SSL_CERT_FILE }}"`
			`dest: "/etc/ssl/certs/cacert-testserver.pem"`
			`state: link`
			`force: no`
			`when: false`

			`# https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/GnuPG`
			`# keys.indymedia.org HKP (11371), HTTPS (443), HKPS (443), HTTP (80) qtt2yl5jocgrk7nu.onion 2eghzlv2wwcq7u7y.onion HTTPS (443), HTTP (80), HKP (11371) HKP (11371), HTTP (80)`


			`# {{ groups['x']\|map('extract', hostvars, 'ec2_ip_address')\|list }}`

			`# A frequently used idiom is walking a group to find all IP addresses in that group:`
			`# {% for host in groups['app_servers'] %}`
			`# {{ hostvars[host]['ansible_eth0']['ipv4']['address'] }}`
			`# {% endfor %}`

			`# old base`
			`- name: "/etc/localtime"`
			`shell: \|`
			`BASE_timezone="{{ BASE_TIMEZONE\|default('Etc/UTC') }}"`
			`[ -f "/usr/share/zoneinfo/$BASE_timezone" ] \|\| exit 0`
			`[ -e /etc/localtime ] && exit 0`
			`ln -s /usr/share/zoneinfo/$BASE_timezone /etc/localtime`
			`ignore_errors: true`

			`- name: "/etc/BASE_timezone"`
			`copy:`
			`content: "{{ BASE_TIMEZONE\|default('Etc/UTC') }}\n"`
			`dest: "/etc/timezone"`

			`- name: "setup hwclock"`
			`template:`
			`src: "hwclock.j2"`
			`dest: "/etc/{{ETC_CONF_D}}/hwclock"`
			`owner: "{{BASE_ROOT_USER}}"`
			`mode: 0644`
			`force: no`
			`# unfinished`
			`when: false`

			`when:`
			`- ansible_distribution != 'Msys'`