---

- name: Prepare
  hosts: all
  gather_facts: False
  tasks:
    - name: Install python for Ansible
      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
      become: True
      changed_when: False

- hosts: all
  become: yes
  tasks:

    - name: Update all caches to avoid errors due to missing remote archives
      apt:
        update_cache: yes
      changed_when: False

- hosts: all
  become: yes
  tasks:

    - name: Set-up the hosts file
      lineinfile:
        path: /etc/hosts
        regexp: "^{{ item.key }}"
        line: "{{ item.key }} {{ item.value }}"
        owner: root
        group: root
        mode: 0644
        state: present
      with_dict:
        10.31.127.10: "ldap-server backup-server"
        10.31.127.20: "client1"
        10.31.127.21: "client2"
        10.31.127.30: "parameters-mandatory parameters-mandatory-jessie64"
        10.31.127.31: "parameters-optional parameters-optional-jessie64"

- hosts: client
  become: yes
  tasks:

    - name: Install SWAKS for testing SMTP capability
      apt:
        name: swaks
        state: installed

    - name: Install pip
      apt:
        name: python-pip
        state: installed

    - name: Install IMAP CLI tool
      pip:
        name: Imap-CLI==0.6
        state: present

    - name: Install tool for testing SIEVE
      apt:
        name: sieve-connect
        state: installed

    - name: Install tool for testing TCP connectivity
      apt:
        name: hping3
        state: installed

    - name: Deploy IMAP CLI configuration
      copy:
        src: "tests/data/{{ item }}"
        dest: "/home/vagrant/{{ item }}"
        owner: vagrant
        group: vagrant
        mode: 0600
      with_items:
        - imapcli-parameters-mandatory-john_doe.conf
        - imapcli-parameters-mandatory-jane_doe.conf
        - imapcli-parameters-optional-john_doe.conf
        - imapcli-parameters-optional-jane_doe.conf

    - name: Deploy CA certificate
      copy:
        src: tests/data/x509/ca.cert.pem
        dest: /usr/local/share/ca-certificates/testca.crt
        owner: root
        group: root
        mode: 0644
      notify:
        - Update CA certificate cache

  handlers:

    - name: Update CA certificate cache
      command: /usr/sbin/update-ca-certificates --fresh

- hosts: ldap-server
  become: yes
  roles:
    - role: ldap_server
      ldap_admin_password: admin
      ldap_entries:

        # Users
        - dn: uid=john,ou=people,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: johnpassword
            uid: john
            cn: John Doe
            sn: Doe
            mail: john.doe@domain1
        - dn: uid=jane,ou=people,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: janepassword
            uid: jane
            cn: Jane Doe
            sn: Doe
            mail: jane.doe@domain2

        - dn: uid=nomail,ou=people,dc=local
          attributes:
            objectClass:
              - inetOrgPerson
              - simpleSecurityObject
            userPassword: nomailpassword
            uid: nomail
            cn: No Mail
            sn: Mail
            mail: nomail@domain1

        # Groups
        - dn: "cn=mail,ou=groups,dc=local"
          state: append
          attributes:
            uniqueMember:
              - uid=john,ou=people,dc=local
              - uid=jane,ou=people,dc=local

        # Domains
        - dn: dc=domain1,ou=domains,ou=mail,ou=services,dc=local
          attributes:
            objectClass: dNSDomain
            dc: domain1

        - dn: dc=domain2,ou=domains,ou=mail,ou=services,dc=local
          attributes:
            objectClass: dNSDomain
            dc: domain2

        # Aliases
        - dn: cn=postmaster@domain1,ou=aliases,ou=mail,ou=services,dc=local
          attributes:
            objectClass: nisMailAlias
            cn: postmaster@domain1
            rfc822MailMember: john.doe@domain1

        - dn: cn=webmaster@domain2,ou=aliases,ou=mail,ou=services,dc=local
          attributes:
            objectClass: nisMailAlias
            cn: webmaster@domain2
            rfc822MailMember: jane.doe@domain2

      ldap_server_consumers:
        - name: postfix
          password: postfixpassword
        - name: dovecot
          password: dovecotpassword
          state: present

      ldap_server_domain: "local"
      ldap_server_groups:
        - name: mail
      ldap_server_organization: "Example"
      ldap_server_tls_certificate: "{{ lookup('file', 'tests/data/x509/ldap-server_ldap.cert.pem') }}"
      ldap_server_tls_key: "{{ lookup('file', 'tests/data/x509/ldap-server_ldap.key.pem') }}"

      # common
      ca_certificates:
        testca: "{{ lookup('file', 'tests/data/x509/ca.cert.pem') }}"

      # ldap_client
      ldap_client_config:
        - comment: CA truststore
          option: TLS_CACERT
          value: /etc/ssl/certs/testca.cert.pem
        - comment: Ensure TLS is enforced
          option: TLS_REQCERT
          value: demand
        - comment: Base DN
          option: BASE
          value: dc=local
        - comment: URI
          option: URI
          value: ldapi:///

    - role: backup_server
      backup_host_ssh_private_keys:
        dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
        rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
        ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
        ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
      backup_clients:
        - server: parameters-optional-j64
          ip: 10.31.127.31
          public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"