---

# temporary set selinux to permissive
- name: put selinux in permissive mode, log avcs to create policies later
  ansible.posix.selinux:
    policy: targeted
    state: permissive
  become: true
  when: ansible_os_family == "RedHat"

- name: configuring action runner
  block:
    - name: configure action runner on machine
      ansible.builtin.shell: >
        ./config.sh --unattended --url {{repository}} --token {{token}} --replace
        --name {{ansible_hostname}} --labels {{labels}}
      args:
        chdir: actions_runner
  rescue:
    - name: is an action runner already configured
      ansible.builtin.debug:
        msg: "{{ansible_failed_result}}"
    - name: Skipping setup if runner already exists
      when: "'already configured' in ansible_failed_result.stderr"
      ansible.builtin.debug:
        msg: "Action runner already running"

- name: setup and start github action runner as a service
  block:
    - name: Installing github action as a service
      ansible.builtin.shell: >
        ./svc.sh install {{user}}
      args:
        chdir: actions_runner
      become: true
  rescue:
    - name: Skipping setup if runner already exists
      when: "'exists' in ansible_failed_result.stderr"
      ansible.builtin.debug:
        msg: "Action runner already running"


- name: start the  service
  ansible.builtin.shell: >
    ./svc.sh start
  args:
    chdir: actions_runner
  become: true

- name: add a policy to allow service to run with selinux
  ansible.builtin.shell: |
    ausearch -c '(unsvc.sh)' --raw | audit2allow -M my-unsvcsh
    semodule -X 300 -i my-unsvcsh.pp
    ausearch -c '.NET DebugPipe' --raw | audit2allow -M my-NETDebugPipe
    semodule -X 300 -i my-NETDebugPipe.pp
    ausearch -c 'runsvc.sh' --raw | audit2allow -M my-runsvcsh
    semodule -X 300 -i my-runsvcsh.pp
    ausearch -c 'Runner.Listener' --raw | audit2allow -M my-RunnerListener
    semodule -i my-RunnerListener.pp
    ausearch -c 'node' --raw | audit2allow -M my-node
    semodule -X 300 -i my-node.pp
    setsebool -P domain_can_mmap_files 1
    setsebool -P nis_enabled 1
    ausearch -c '.NET TP Worker' --raw | audit2allow -M my-NETTPWorker
    semodule -X 300 -i my-NETTPWorker.pp
    restorecon -Rv /
  args:
    chdir: actions_runner
  become: true
  when: ansible_os_family == "RedHat"

# set selinux back to enforcing
- name: put selinux back to enforcing mode
  ansible.posix.selinux:
    policy: targeted
    state: enforcing
  become: true
  when: ansible_os_family == "RedHat"

- name: display status of service
  ansible.builtin.shell: >
    ./svc.sh status
  args:
    chdir: actions_runner
  become: true