# Copyright 2019 The Kubernetes Authors.

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- import_tasks: redhat.yml
  when: ansible_os_family == "RedHat"

- import_tasks: debian.yml
  when: ansible_os_family == "Debian"

- name: Configure PTP
  lineinfile:
    path: /etc/chrony/chrony.conf
    create: yes
    line: refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0

- name: Ensure makestep parameter set as per Azure recommendation
  lineinfile:
    path: /etc/chrony/chrony.conf
    regexp: '^makestep'
    line: makestep 1.0 -1

- name: Install iptables persistence
  apt:
    name: "{{ packages }}"
    state: present
    force_apt_get: yes
  vars:
    packages:
      - iptables-persistent
  when: ansible_os_family == "Debian"

- name: Block traffic to 168.63.129.16 port 80 for cve-2021-27075
  copy:
    src: files/etc/azure/iptables
    dest: /etc/iptables/rules.v4
    owner: root
    group: root
    mode: 0644
  when: ansible_os_family == "Debian"

- name: Load iptable rules from file
  community.general.iptables_state:
    state: restored
    path: /etc/iptables/rules.v4
  when: ansible_os_family == "Debian"

- name: Install netbase and nfs-common
  apt:
    name: "{{ packages }}"
    state: present
    force_apt_get: yes
  vars:
    packages:
    - netbase
    - nfs-common
  when: ansible_os_family == "Debian"