veza/ansible/playbooks/00-bootstrap-remote.yml

---
# Bootstrap remote Debian host for Veza V5 Ultra deployment
# Ensures python3, sudo, and essential tools are available

- name: Bootstrap Debian host for Veza deployment
  hosts: edge
  gather_facts: false
  become: true

  pre_tasks:
    - name: Install essential packages
      raw: |
        apt-get update && apt-get install -y \
          python3 \
          python3-pip \
          sudo \
          curl \
          gnupg \
          net-tools \
          ca-certificates \
          apt-transport-https \
          lsb-release \
          wget \
          unzip \
          git \
          vim \
          htop \
          iotop \
          nethogs        

    - name: Ensure python3 is available
      raw: which python3
      register: python3_check
      failed_when: false

    - name: Create symlink for python if needed
      raw: ln -sf /usr/bin/python3 /usr/bin/python
      when: python3_check.rc != 0

    - name: Install additional packages
      raw: |
        apt-get install -y \
          python3-pip \
          python3-venv \
          snapd        

    - name: Ensure user has sudo access
      raw: |
        if ! grep -q "senke ALL=(ALL) NOPASSWD:ALL" /etc/sudoers.d/senke; then
          echo "senke ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/senke
          chmod 440 /etc/sudoers.d/senke
        fi        

    - name: Configure SSH for better performance
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
      loop:
        - { regexp: "^#?ClientAliveInterval", line: "ClientAliveInterval 60" }
        - { regexp: "^#?ClientAliveCountMax", line: "ClientAliveCountMax 3" }
        - { regexp: "^#?TCPKeepAlive", line: "TCPKeepAlive yes" }
      notify: restart ssh

    - name: Ensure SSH service is enabled and running
      systemd:
        name: ssh
        state: started
        enabled: true

    - name: Install UFW
      apt:
        name: ufw
        state: present

    - name: Configure firewall for Veza ports
      community.general.ufw:
        rule: allow
        port: "{{ item }}"
        proto: tcp
      loop:
        - "22"    # SSH
        - "80"    # HTTP
        - "443"   # HTTPS
        - "8080"  # Backend API
        - "8081"  # Chat WebSocket
        - "8082"  # Stream HLS

    - name: Enable UFW
      community.general.ufw:
        state: enabled
        policy: deny

  handlers:
    - name: restart ssh
      systemd:
        name: ssh
        state: restarted

  post_tasks:
    - name: Test connectivity
      ping: