- name: 'DNS: Enable DNSSEC'
  tags:
    - config
    - dns
  block:
    - name: 'DNS: Enable DNSSEC configuration'
      lineinfile:
        path: '/etc/systemd/resolved.conf'
        state: present
        regexp: 'DNSSEC='
        line: '#DNSSEC=allow-downgrade'
      become: true

    - name: 'DNS: Restart resolver'
      systemd:
        name: systemd-resolved
        state: restarted
      become: true

# - name: 'IPv6: Privacy'
#   tags:
#     - config
#     - ipv6
#   block:
#     - name: 'IPv6: Privacy: Temporary addressing defaults'
#       lineinfile:
#         path: '/etc/ufw/sysctl.conf'
#         state: present
#         regexp: "net/ipv6/conf/{{ item }}/use_tempaddr"
#         line: "net/ipv6/conf/{{ item }}/use_tempaddr=2"
#       loop: ['default', 'all']
#       become: true

#     - name: 'IPv6: Privacy: Detect interfaces'
#       shell: 'nmcli -t connection show | cut -f2 -d:'
#       register: nmcli_connections

#     - name: 'IPv6: Privacy: Network Manager enforcement'
#       command: "nmcli connection modify uuid {{ item }} ipv6.ip6-privacy 2"
#       loop: "{{ nmcli_connections.stdout_lines }}"

- name: 'Wireguard'
  tags:
    - config
    - wireguard
  block:
    - set_fact:
        wgconfig_path: /etc/wireguard/wg0.conf

    - name: 'Wireguard: Check for existing configuration'
      stat:
        path: "{{ wgconfig_path }}"
      register: wgconfig

    - name: 'Wireguard: Create configuration template'
      copy:
        dest: "{{ wgconfig_path }}"
        src: files/wireguard.conf
        mode: '0400'
      when: not wgconfig.stat.exists
      become: true

    - name: 'Wireguard: Fix configuration permissions'
      file:
        state: file
        path: "{{ wgconfig_path }}"
        mode: '0400'
        owner: 'root'
        group: 'root'
      become: true

- name: 'Config: Checkout some repositories for local config'
  tags:
    - config
    - repos
  git:
    repo: "{{ item.repo }}"
    dest: "{{ item.dest }}"
  loop: "{{ config_repos }}"

- name: 'Conky: Configuration'
  tags:
    - config
    - conky
  template:
    src: 'templates/conkyrc.j2'
    dest: '~/.conkyrc'
    mode: '0400'

- name: 'Gnome: Custom key bindings: Add'
  tags:
    - config
    - keybindings
  block:
    - name: 'Gnome: Custom key bindings: Set facts'
      set_fact:
        customkbpath: '/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings'
        kblist: []

    - name: 'Gnome: Custom key bindings: Build list'
      set_fact:
        kblist: "{{ kblist + [ ( customkbpath + '/custom' + index | string + '/' ) | to_json ] }}"
      loop: "{{ gnome_custom_keybindings }}"
      loop_control:
        index_var: index
        label: "{{ item.name }}"

    - name: 'Gnome: Custom key bindings: Configure list'
      command: "dconf write {{ customkbpath }} [{{ kblist | join(',') | quote }}]"

    - include: includes/keybindings.yaml
      loop: "{{ gnome_custom_keybindings }}"
      loop_control:
        index_var: index

- name: 'Shell: Clipboard aliases'
  tags:
    - config
    - shell
  copy:
    content: |
      [[ -x /usr/bin/copyq ]] && function pbpaste() { /usr/bin/copyq clipboard; } && export -f pbpaste
      [[ -x /usr/bin/copyq ]] && function pbcopy() { /usr/bin/copyq add -; } && export -f pbcopy
    dest: '~/.bashrc.d/alias.clipboard'
    mode: '0400'