---

- name: Create WSGI website group
  group:
    name: "{{ user }}"
    gid: "{{ uid | default(omit) }}"
    state: present

- name: Create WSGI website admin user
  user:
    name: "{{ admin }}"
    uid: "{{ admin_uid | default(omit) }}"
    group: "{{ user }}"
    shell: /bin/bash
    createhome: yes
    home: "{{ home }}"
    state: present

- name: Set-up directory for storing user profile configuration files
  file:
    path: "{{ home }}/.profile.d"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0750

- name: Deploy profile configuration file for auto-activating the virtual environment
  copy:
    src: "profile_virtualenv.sh"
    dest: "{{ home }}/.profile.d/virtualenv.sh"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Deploy profile configuration file for setting environment variables
  template:
    src: "environment.sh.j2"
    dest: "{{ home }}/.profile.d/environment.sh"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Create WSGI website user
  user:
    name: "{{ user }}"
    uid: "{{ uid | default(omit) }}"
    group: "{{ user }}"
    comment: "umask=0007"
    system: yes
    createhome: no
    state: present
    home: "{{ home }}"

- name: Add nginx user to website group
  user:
    name: www-data
    groups: "{{ user }}"
    append: yes
  notify:
    - Restart nginx

# Ownership set to root so Postfix would not check if correct user owns the
# file.
- name: Set-up forwarding for mails delivered to local application user/admin
  template:
    src: "forward.j2"
    dest: "{{ home }}/.forward"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Install extra packages for website
  apt:
    name: "{{ item }}"
    state: present
  with_items: "{{ packages }}"
  register: install_extra_packages
  notify:
    - Restart WSGI services

- name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
  file:
    src: "/usr/bin/mariadb_config"
    dest: "/usr/bin/mysql_config"
    state: link
  when: "'libmariadb-client-lgpl-dev-compat' in packages"

- name: Create directory for storing the Python virtual environment
  file:
    path: "{{ home }}/virtualenv"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 02750

- name: Create Python virtual environment
  command: '/usr/bin/virtualenv --prompt "({{ fqdn }})" "{{ home }}/virtualenv"'
  args:
    creates: "{{ home }}/virtualenv/bin/activate"
  become: yes
  become_user: "{{ admin }}"
  tags:
    # [ANSIBLE0012] Commands should not change things if nothing needs doing
    #   This task will not fire if the virtual environment has already bene
    #   created (thanks to 'creates' parameter).
    - skip_ansible_lint

- name: Configure project directory for the Python virtual environment
  template:
    src: "venv_project.j2"
    dest: "{{ home }}/virtualenv/.project"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0640

- name: Deploy virtualenv wrapper
  template:
    src: "venv_exec.j2"
    dest: "{{ home }}/virtualenv/bin/exec"
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0750

- name: Install WSGI server
  become: yes
  become_user: "{{ admin }}"
  pip:
    name: "{{ item.package }}"
    version: "{{ item.version }}"
    state: present
    virtualenv: "{{ home }}/virtualenv"
  with_items:
    - package: gunicorn
      version: "{{ gunicorn_version }}"
    - package: futures
      version: "{{ futures_version }}"
  when: "not wsgi_requirements"
  register: install_wsgi_server
  notify:
    - Restart WSGI services

- include: requirements.yml
  when: "wsgi_requirements"

- name: Install additional packages in Python virtual environment
  become: yes
  become_user: "{{ admin }}"
  pip:
    name: "{{ virtualenv_packages }}"
    state: present
    virtualenv: "{{ home }}/virtualenv"
  register: install_additional_packages_in_virtualenv
  notify:
    - Restart WSGI services

- name: Deploy systemd socket configuration for website
  template:
    src: "systemd_wsgi_website.socket.j2"
    dest: "/etc/systemd/system/{{ fqdn }}.socket"
    owner: root
    group: root
    mode: 0644
  register: deploy_systemd_socket_configuration
  notify:
    - Reload systemd
    - Restart WSGI services

- name: Deploy systemd service configuration for website
  template:
    src: "systemd_wsgi_website.service.j2"
    dest: "/etc/systemd/system/{{ fqdn }}.service"
    owner: root
    group: root
    mode: 0644
  register: deploy_systemd_service_configuration
  notify:
    - Reload systemd
    - Restart WSGI services

- name: Enable the website service
  service:
    name: "{{ fqdn }}"
    enabled: yes
    state: started

- name: Create directory where static files can be served from
  file:
    path: "{{ home }}/htdocs/"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 02750

- name: Deploy nginx TLS private key for website
  copy:
    dest: "/etc/ssl/private/{{ fqdn }}_https.key"
    content: "{{ https_tls_key }}"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate for website
  copy:
    dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    content: "{{ https_tls_certificate }}"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
    owner: root
    group: root
    mode: 0644

- name: Deploy nginx configuration file for website
  template:
    src: "nginx_site.j2"
    dest: "/etc/nginx/sites-available/{{ fqdn }}"
    owner: root
    group: root
    mode: 0640
    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
  notify:
    - Restart nginx

- name: Enable nginx website
  file:
    src: "/etc/nginx/sites-available/{{ fqdn }}"
    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
    state: link
  notify:
    - Restart nginx

- name: Set-up empty list of WSGI services to restart
  set_fact:
    wsgi_services_to_restart: []
  when: "wsgi_services_to_restart is not defined"
  tags:
    - handlers

- name: Add service to list of WSGI services to restart
  set_fact:
    wsgi_services_to_restart: "{{ wsgi_services_to_restart + [ fqdn ] }}"
  when: |
    fqdn not in wsgi_services_to_restart and
    ((install_extra_packages is defined and install_extra_packages.changed) or
    (install_wsgi_server is defined and install_wsgi_server.changed) or
    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or
    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or
    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or
    (install_gunciron_via_requirements is defined and install_gunciron_via_requirements.changed) or
    (handlers | default(False) | bool() == True))
  tags:
    - handlers
    # [ANSIBLE0016] Tasks that run when changed should likely be handlers
    #   This specific task is used in order to work around inability of Ansible
    #   to provide properly parametrised handlers for reusable roles.
    - skip_ansible_lint

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers