---
- name: Speed-up Bootstrap process
  when: not (custom_iso | bool)
  ansible.builtin.lineinfile:
    path: /etc/pacman.conf
    regexp: ^#ParallelDownloads =
    line: ParallelDownloads = 20

- name: Wait for pacman lock to be released
  when: not (custom_iso | bool)
  ansible.builtin.wait_for:
    path: /var/lib/pacman/db.lck
    state: absent
    timeout: 120
  changed_when: false

- name: Setup Pacman
  when:
    - not (custom_iso | bool)
    - item.os is not defined or os in item.os
  community.general.pacman:
    update_cache: true
    force: true
    name: "{{ item.name }}"
    state: latest
  loop:
    - { name: glibc }
    - { name: dnf, os: [almalinux, fedora, rhel, rocky] }
    - { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
    - { name: debian-archive-keyring, os: [debian] }
    - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
  loop_control:
    label: "{{ item.name }}"
  retries: 4
  delay: 15

- name: Prepare /iso mount and repository for RHEL-based systems
  when: os == "rhel"
  block:
    - name: Create /iso directory
      ansible.builtin.file:
        path: /usr/local/install/redhat/dvd
        state: directory
        mode: "0755"

    - name: Detect RHEL ISO device
      ansible.builtin.command: lsblk -rno NAME,TYPE
      register: environment_lsblk_result
      changed_when: false

    - name: Select RHEL ISO device
      vars:
        _rom_devices: >-
          {{
            environment_lsblk_result.stdout_lines
            | map('split', ' ')
            | selectattr('1', 'equalto', 'rom')
            | map('first')
            | map('regex_replace', '^', '/dev/')
            | list
          }}
      ansible.builtin.set_fact:
        environment_rhel_iso_device: >-
          {{
            _rom_devices[-1]
            if _rom_devices | length > 1
            else (_rom_devices[0] | default('/dev/sr1'))
          }}

    - name: Mount RHEL ISO
      ansible.posix.mount:
        src: "{{ environment_rhel_iso_device }}"
        path: /usr/local/install/redhat/dvd
        fstype: iso9660
        opts: "ro,loop"
        state: mounted

# Security note: RPM Sequoia signature policy is relaxed to allow
# bootstrapping RHEL-family distros from the Arch ISO, where the
# host rpm/dnf does not trust target distro GPG keys. Package
# integrity is verified by the target system's own rpm after reboot.
- name: Relax RPM Sequoia signature policy for RHEL bootstrap
  when: is_rhel | bool
  ansible.builtin.copy:
    dest: /etc/rpm/macros
    content: "%_pkgverify_level none\n"
    mode: "0644"

- name: Configure RHEL Repos for installation
  when: is_rhel | bool
  block:
    - name: Create directories for repository files and RPM GPG keys
      ansible.builtin.file:
        path: /etc/yum.repos.d
        state: directory
        mode: "0755"

    - name: Create RHEL repository file
      ansible.builtin.template:
        src: "{{ os }}.repo.j2"
        dest: /etc/yum.repos.d/{{ os }}.repo
        mode: "0644"