---

- name: Create WSGI website group
  ansible.builtin.group:
    name: "{{ user }}"
    gid: "{{ uid | default(omit) }}"
    state: present

- name: Create WSGI website admin user
  ansible.builtin.user:
    name: "{{ admin }}"
    uid: "{{ admin_uid | default(omit) }}"
    group: "{{ user }}"
    ansible.builtin.shell: /bin/bash
    createhome: true
    home: "{{ home }}"
    state: present

- name: Set-up directory for storing user profile configuration files
  ansible.builtin.file:
    path: "{{ home }}/.profile.d"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "0750"

- name: Deploy profile configuration file for auto-activating the virtual environment
  ansible.builtin.copy:
    src: "profile_virtualenv.sh"
    dest: "{{ home }}/.profile.d/virtualenv.sh"
    owner: root
    group: "{{ user }}"
    mode: "0640"

- name: Deploy profile configuration file for setting environment variables
  ansible.builtin.template:
    src: "environment.sh.j2"
    dest: "{{ home }}/.profile.d/environment.sh"
    owner: root
    group: "{{ user }}"
    mode: "0640"

- name: Create WSGI website user
  ansible.builtin.user:
    name: "{{ user }}"
    uid: "{{ uid | default(omit) }}"
    group: "{{ user }}"
    comment: "umask=0007"
    system: true
    createhome: false
    state: present
    home: "{{ home }}"
    # This is a workaround for a rather stupid bug that Debian seems
    # uninterested to backport -
    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
    ansible.builtin.shell: /bin/sh

- name: Add nginx user to website group
  ansible.builtin.user:
    name: www-data
    groups: "{{ user }}"
    append: true
  notify:
    - Restart nginx

# Ownership set to root so Postfix would not check if correct user owns the
# file.
- name: Set-up forwarding for mails delivered to local application user/admin
  ansible.builtin.template:
    src: "forward.j2"
    dest: "{{ home }}/.forward"
    owner: root
    group: "{{ user }}"
    mode: "0640"

- name: Install extra packages for website
  ansible.builtin.apt:
    name: "{{ packages }}"
    state: present
  register: install_extra_packages
  notify:
    - Restart WSGI services

- name: Retrieve requested Python interpreter version
  ansible.builtin.command:
    argv:
      - "{{ python_interpreter }}"
      - "-c"
      - "import sys; print(sys.version.split(' ')[0])"
  changed_when: false
  register: python_interpreter_version

- name: Retrieve virtual environment Python interpreter version (if initialised)
  ansible.builtin.command:
    argv:
      - "{{ home }}/virtualenv/bin/python"
      - "-c"
      - "import sys; print(sys.version.split(' ')[0])"
  # Virtual environment perhaps does not exist.
  failed_when: false
  changed_when: false
  register: virtualenv_python_version

- name: Retrieve virtual environment prompt
  ansible.builtin.command:
    argv:
      - "bash"
      - "-c"
      - "source '{{ home }}/virtualenv/bin/activate'; printenv PS1"
  failed_when: false
  changed_when: false
  register: current_virtualenv_prompt

- name: Remove virtual environment in case of mismatches
  ansible.builtin.file:
    path: "{{ home }}/virtualenv"
    state: absent
  when: |
    virtualenv_python_version.rc != 0 or
    virtualenv_python_version.stdout.strip() != python_interpreter_version.stdout.strip() or
    current_virtualenv_prompt.stdout != "(" + fqdn + ") "
  notify:
    - Restart WSGI services

- name: Create directory for storing the Python virtual environment
  ansible.builtin.file:
    path: "{{ home }}/virtualenv"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "02750"

- name: Create Python virtual environment
  ansible.builtin.command: '/usr/bin/virtualenv --python "{{ python_interpreter }}" --prompt "{{ virtualenv_prompt }}" "{{ home }}/virtualenv"'
  args:
    creates: "{{ home }}/virtualenv/bin/{{ python_interpreter | basename }}"
  become: true
  become_user: "{{ admin }}"

- name: Configure project directory for the Python virtual environment
  ansible.builtin.template:
    src: "venv_project.j2"
    dest: "{{ home }}/virtualenv/.project"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "0640"

- name: Deploy virtualenv wrapper
  ansible.builtin.template:
    src: "venv_exec.j2"
    dest: "{{ home }}/virtualenv/bin/exec"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "0750"

- name: Set-up directory for storing requirements file for upgrade checks
  ansible.builtin.file:
    path: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}"
    state: directory
    owner: root
    group: pipreqcheck
    mode: "0750"

- name: Deploy WSGI requirements files for upgrade checks
  ansible.builtin.template:
    src: "{{ item }}.j2"
    dest: "{{ pip_check_requirements_upgrades_directory }}/{{ fqdn }}/{{ item }}"
    owner: root
    group: pipreqcheck
    mode: "0640"
  with_items:
    - wsgi_requirements.in
    - wsgi_requirements.txt

- name: Deploy Gunicorn requirements file for installation purposes
  ansible.builtin.template:
    src: "wsgi_requirements.txt.j2"
    dest: "{{ home }}/.wsgi_requirements.txt"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "0640"

- name: Install Gunicorn via requirements file
  become: true
  become_user: "{{ admin }}"
  ansible.builtin.pip:
    requirements: "{{ home }}/.wsgi_requirements.txt"
    state: present
    virtualenv: "{{ home }}/virtualenv"
  register: install_gunicorn_via_requirements
  notify:
    - Restart WSGI services

- name: Install additional packages in Python virtual environment
  become: true
  become_user: "{{ admin }}"
  ansible.builtin.pip:
    name: "{{ virtualenv_packages }}"
    state: present
    virtualenv: "{{ home }}/virtualenv"
  register: install_additional_packages_in_virtualenv
  when: virtualenv_packages | length > 0
  notify:
    - Restart WSGI services

- name: Deploy systemd socket configuration for website
  ansible.builtin.template:
    src: "systemd_wsgi_website.socket.j2"
    dest: "/etc/systemd/system/{{ fqdn }}.socket"
    owner: root
    group: root
    mode: "0644"
  register: deploy_systemd_socket_configuration
  notify:
    - Reload systemd
    - Restart WSGI services

- name: Deploy systemd service configuration for website
  ansible.builtin.template:
    src: "systemd_wsgi_website.service.j2"
    dest: "/etc/systemd/system/{{ fqdn }}.service"
    owner: root
    group: root
    mode: "0644"
  register: deploy_systemd_service_configuration
  notify:
    - Reload systemd
    - Restart WSGI services

- name: Enable the website service
  ansible.builtin.service:
    name: "{{ fqdn }}"
    enabled: true
    state: started

- name: Create directory where static files can be served from
  ansible.builtin.file:
    path: "{{ home }}/htdocs/"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "02750"

- name: Deploy nginx TLS private key for website
  ansible.builtin.copy:
    dest: "/etc/ssl/private/{{ fqdn }}_https.key"
    content: "{{ https_tls_key }}"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate for website
  ansible.builtin.copy:
    dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    content: "{{ https_tls_certificate }}"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  ansible.builtin.copy:
    content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
    owner: root
    group: root
    mode: "0644"

- name: Deploy nginx configuration file for website
  ansible.builtin.template:
    src: "nginx_site.j2"
    dest: "/etc/nginx/sites-available/{{ fqdn }}"
    owner: root
    group: root
    mode: "0640"
    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
  notify:
    - Restart nginx

- name: Enable nginx website
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ fqdn }}"
    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
    state: link
  notify:
    - Restart nginx

- name: Set-up empty list of WSGI services to restart
  ansible.builtin.set_fact:
    wsgi_services_to_restart: []
  when: "wsgi_services_to_restart is not defined"
  tags:
    - handlers

- name: Add service to list of WSGI services to restart  # noqa no-handler
  # [no-handler] Tasks that run when changed should likely be handlers
  #   This specific task is used in order to work around inability of Ansible
  #   to provide properly parametrised handlers for reusable roles.
  ansible.builtin.set_fact:
    wsgi_services_to_restart: "{{ wsgi_services_to_restart + [fqdn] }}"
  when: |
    fqdn not in wsgi_services_to_restart and
    ((install_extra_packages is defined and install_extra_packages.changed) or
    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or
    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or
    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or
    (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or
    (run_handlers | default(False) | bool()))
  tags:
    - handlers

- name: Explicitly run all handlers
  ansible.builtin.include_tasks: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers