---
- name: Sanity checks
  ansible.builtin.assert:
    that:
      - ansible_os_family|default("N/A") in ["Debian"]


- name: Get distribution variables
  ansible.builtin.include_vars:
    file: "os_{{ ansible_os_family|lower }}.yml"


- name: Remove packages
  ansible.builtin.package:
    name: "{{ deapparmor_packages }}"
    state: absent
  notify: "Reboot machine for DeAppArmor"


- name: "[GRUB] Look for disabled AppArmor"
  ansible.builtin.shell:
    cmd: 'grep "^GRUB_CMDLINE_LINUX=.*apparmor=0" /etc/default/grub || true'
  changed_when: False
  register: deapparmor_grub_comdline


- name: "[GRUB] Add apparmor=0"
  ansible.builtin.lineinfile:
    path: /etc/default/grub
    line: 'GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} apparmor=0"'
    insertafter: '^GRUB_CMDLINE_LINUX='
    owner: root
    group: root
    mode: 0644
    backup: yes
  when: deapparmor_grub_comdline.stdout_lines|length == 0
  notify:
    - "update-grub for DeAppArmor"
    - "Reboot machine for DeAppArmor"