---
- name: Validate bootstrap input
  ansible.builtin.import_tasks: _validate.yml

- name: Create API filesystem mountpoints in installroot
  when: os_family == 'RedHat'
  ansible.builtin.file:
    path: "/mnt/{{ item }}"
    state: directory
    mode: "0755"
  loop:
    - dev
    - proc
    - sys

- name: Mount API filesystems into installroot
  when: os_family == 'RedHat'
  ansible.posix.mount:
    src: "{{ item.src }}"
    path: "/mnt/{{ item.path }}"
    fstype: "{{ item.fstype }}"
    opts: "{{ item.opts | default(omit) }}"
    state: ephemeral
  loop:
    - { src: proc, path: proc, fstype: proc }
    - { src: sysfs, path: sys, fstype: sysfs }
    - { src: /dev, path: dev, fstype: none, opts: bind }
    - { src: devpts, path: dev/pts, fstype: devpts, opts: "gid=5,mode=620" }
  loop_control:
    label: "{{ item.path }}"

# Installers write their cache inside the installroot; redirect it off the 2 GiB CIS /var LV.
- name: Create bootstrap package-cache directory
  ansible.builtin.file:
    path: /mnt/.bootstrap-cache
    state: directory
    mode: "0755"

- name: Redirect package cache off the CIS /var LV
  ansible.posix.mount:
    src: /mnt/.bootstrap-cache
    path: /mnt/var/cache
    fstype: none
    opts: bind
    state: ephemeral

- name: Run OS-specific bootstrap process
  vars:
    bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
  ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"

# dnf --installroot never runs anaconda, so no authselect profile is selected and
# /etc/pam.d/system-auth is missing, leaving the system unable to authenticate.
# local is the right profile: local-auth only, no pam_sss.so, still CIS-capable.
- name: Select default authselect profile for the PAM stack
  when: is_authselect | bool
  ansible.builtin.command: "{{ chroot_command }} authselect select local --force"
  register: bootstrap_authselect_result
  changed_when: bootstrap_authselect_result.rc == 0

- name: Install hardware-matched firmware/microcode/GPU/peripheral packages
  when: >-
    (system_cfg.features.firmware.enabled | bool)
    or (system_cfg.features.gpu.enabled | bool)
    or (system_cfg.features.peripherals.enabled | bool)
  ansible.builtin.include_tasks: _hardware.yml

- name: Install desktop environment packages
  when: system_cfg.features.desktop.enabled | bool
  ansible.builtin.include_tasks: _desktop.yml

- name: Ensure chroot uses live environment DNS
  ansible.builtin.file:
    src: /run/NetworkManager/resolv.conf
    dest: /mnt/etc/resolv.conf
    state: link
    force: true