# vim: set ft=yaml.jinja :
- set_fact:
    mok_password: >-
      {{ lookup("pipe", "diceware -d ' ' -n 6 -w en_eff --no-caps") }}
  args:
    cacheable: false

- name: ensure prerequisite packages are installed
  package:
    name:
    - mokutil
    state: present
  tags:
  - install

- name: ensure gasket-dkms is not installed
  package:
    name: gasket-dkms
    state: absent
  tags:
  - uninstall

- name: ensure local dch data dir exists
  file:
    path: /usr/local/share/dch
    owner: root
    group: root
    mode: u=rwx,go=rx
    state: directory
  tags:
  - cert
- name: ensure kernel module signing key is present
  copy:
    src: mok.crt
    dest: /usr/local/share/dch/mok.crt
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - enroll uefi mok
  tags:
  - cert

- name: flush handlers
  meta: flush_handlers

- name: ensure gasket-driver is installed
  package:
    name: gasket-driver
    state: present
  tags:
  - install