---
# deploy-ansipa-policies.yml — deploy the policy enforcement daemon to enrolled clients.
#
# Installs ansipa-enforce-policies.sh and a systemd timer that runs it every 30 minutes.
# Policies are declared by adding hosts to the following FreeIPA host groups:
#
#   policy-block-binary-<name>    Block execution of <name> via a PATH-priority wrapper + AppArmor
#   policy-daemon-enable-<unit>   Ensure <unit> is enabled and running; reverted when host leaves group
#   policy-daemon-disable-<unit>  Ensure <unit> is disabled and stopped; reverted when host leaves group
#   policy-timeshift-backup       Enforce daily Timeshift snapshots (03:00)
#   policy-security-scan          Enforce daily ClamAV + rkhunter + chkrootkit scans + SMB upload (02:00)
#   policy-scan-notify            Fetch alerts from server, notify user every 10 min until acknowledged
#
# Prerequisites:
#   - Host enrolled in FreeIPA (sssd + ipa CLI available)
#   - For security-scan / scan-notify: samba-client installed (handled below)
#   - For security-scan / scan-notify: smb_scan_password set (use ansible-vault in production)
#   - For security-scan tools:  also add host to ansipa-module-anti-malware group
#   - For timeshift-backup:     also add host to ansipa-module-timeshift group
#
# Usage:
#   ansible-playbook -i inventory deploy-ansipa-policies.yml \
#       -e smb_scan_password=<password>          # or use --vault-password-file

- name: Deploy FreeIPA policy enforcer
  hosts: all
  become: yes

  vars:
    smb_scan_password: "{{ smb_scan_password | mandatory('smb_scan_password is required — use -e smb_scan_password=... or ansible-vault') }}"

  tasks:

    - name: Install samba-client (required for scan upload and alert fetch)
      package:
        name: "{{ item }}"
        state: present
      loop:
        - samba-client
      ignore_errors: yes

    - name: Deploy SMB credentials file
      copy:
        dest: /etc/ansipa-smb.creds
        mode: '0600'
        owner: root
        group: root
        content: |
          username = scanupload
          password = {{ smb_scan_password }}
          domain = WORKGROUP

    - name: Deploy policy enforcer script
      copy:
        src: ansipa-enforce-policies.sh
        dest: /usr/local/bin/ansipa-enforce-policies.sh
        mode: '0755'

    - name: Deploy alert fetch script
      copy:
        src: ansipa-fetch-alerts.sh
        dest: /usr/local/bin/ansipa-fetch-alerts.sh
        mode: '0755'

    - name: Deploy user notification daemon
      copy:
        src: ansipa-scan-notify.sh
        dest: /usr/local/bin/ansipa-scan-notify.sh
        mode: '0755'

    - name: Create policy state directory
      file:
        path: /var/lib/ansipa-policies
        state: directory
        mode: '0700'

    - name: Install policy enforcer systemd service
      copy:
        dest: /etc/systemd/system/ansipa-enforce-policies.service
        mode: '0644'
        content: |
          [Unit]
          Description=Enforce FreeIPA host-group policies (binary blocks, backups, scans)
          After=network-online.target sssd.service
          Wants=network-online.target

          [Service]
          Type=oneshot
          ExecStart=/usr/local/bin/ansipa-enforce-policies.sh
          StandardOutput=journal
          StandardError=journal

    - name: Install policy enforcer systemd timer
      copy:
        dest: /etc/systemd/system/ansipa-enforce-policies.timer
        mode: '0644'
        content: |
          [Unit]
          Description=Periodic FreeIPA policy enforcement

          [Timer]
          OnBootSec=5min
          OnUnitActiveSec=30min

          [Install]
          WantedBy=timers.target

    - name: Reload systemd
      command: systemctl daemon-reload

    - name: Enable and start policy enforcer timer
      systemd:
        name: ansipa-enforce-policies.timer
        enabled: yes
        state: started