---
- name: Remove old kernels
  ansible.builtin.shell: dnf remove -y $(dnf repoquery --installonly --latest-limit=-1 -q)

- name: Delete DNF cache
  ansible.builtin.command: dnf clean all

- name: Find DNF history files
  ansible.builtin.find:
    paths: /var/lib/dnf
    patterns: "history*"
  register: dnf_history

- name: Reset DNF history
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: absent
  loop: "{{ dnf_history.files }}"

- name: Find temporary files
  ansible.builtin.find:
    file_type: any
    paths:
      - /tmp
      - /var/tmp
    patterns: '*'
  register: tmp_files

- name: Remove temporary files
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: absent
  loop: "{{ tmp_files.files }}"

- name: Find SSH host keys
  ansible.builtin.find:
    paths: /etc/ssh
    patterns: '*host*key*'
  register: host_keys

- name: Remove SSH host keys
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: absent
  loop: "{{ host_keys.files }}"

- name: Remove kickstart files
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /root/anaconda-ks.cfg
    - /root/original-ks.cfg

- name: Truncate files
  ansible.builtin.command: "truncate -s 0 {{ item }}"
  loop:
    - /etc/machine-id
    - /etc/resolv.conf
    - /var/log/audit/audit.log
    - /var/log/wtmp
    - /var/log/lastlog
    - /var/log/btmp
    - /var/log/cron
    - /var/log/maillog
    - /var/log/messages
    - /var/log/secure
    - /var/log/spooler

- name: Remove log folders.
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /var/log/anaconda
    - /var/log/qemu-ga
    - /var/log/tuned
    - /var/lib/cloud
    - /etc/hostname
    - /etc/machine-info
    - /var/lib/systemd/credential.secret

- name: Find log files.
  ansible.builtin.find:
    paths:
      - /var/log
      - /var/log/sssd
    patterns: '*log,*.old,*.log.gz,*.[0-9],*.gz,*-????????'
  register: log_files

- name: Remove log files
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: absent
  loop: "{{ log_files.files }}"

- name: Remove random-seed
  ansible.builtin.file:
    path: /var/lib/systemd/random-seed
    state: absent

- name: Disable root SSH login via password
  ansible.builtin.file:
    path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
    state: absent
  when: ansible_facts['distribution_major_version'] == '9'

- name: Fill free space with zeroes
  ansible.builtin.shell: dd if=/dev/zero of=/zeroed_file bs=1M oflag=direct || rm -f /zeroed_file

- name: Detect swap partition
  ansible.builtin.command: grep -oP '^/dev/[\w-]+' /proc/swaps
  register: swaps
  ignore_errors: true

- name: Wipe out swap data
  block:
    - name: Get swap partition UUID
      ansible.builtin.command: "blkid {{ swaps.stdout }} -s UUID -o value"
      register: swap_blkid

    - name: Unmount swap partition
      ansible.builtin.command: "swapoff {{ swaps.stdout }}"

    - name: Fill swap partition with zeroes
      ansible.builtin.shell: "dd if=/dev/zero of={{ swaps.stdout }} bs=1M oflag=direct || /bin/true"

    - name: Format swap partition
      ansible.builtin.command: "mkswap -U {{ swap_blkid.stdout }} -f {{ swaps.stdout }}"

    - name: Mount swap partition
      ansible.builtin.command: "swapon {{ swaps.stdout }}"
  when: swaps.rc == 0

- name: Sync disc
  ansible.builtin.command: sync

- name: Clear shell history
  ansible.builtin.shell: history -c

- name: Check if WALinuxAgent is installed
  ansible.builtin.stat:
    path: /usr/sbin/waagent
  register: cleanup_vm_waagent

- name: Deprovision WALinuxAgent
  ansible.builtin.command: waagent -deprovision+user -force
  when: cleanup_vm_waagent.stat.exists