---

- name: Create PHP website group
  ansible.builtin.group:
    name: "{{ user }}"
    gid: "{{ uid | default(omit) }}"
    state: present

- name: Create PHP website admin user
  ansible.builtin.user:
    name: "{{ admin }}"
    uid: "{{ admin_uid | default(omit) }}"
    group: "{{ user }}"
    shell: /bin/bash
    createhome: true
    home: "{{ home }}"
    state: present

- name: Set-up directory for storing user profile configuration files
  ansible.builtin.file:
    path: "{{ home }}/.profile.d"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: "0750"

- name: Create PHP website user
  ansible.builtin.user:
    name: "{{ user }}"
    uid: "{{ uid | default(omit) }}"
    group: "{{ user }}"
    comment: "umask=0007"
    system: true
    createhome: false
    state: present
    home: "{{ home }}"
    # This is a workaround for a rather stupid bug that Debian seems
    # uninterested to backport -
    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
    shell: /bin/sh

- name: Add nginx user to website group
  ansible.builtin.user:
    name: "www-data"
    groups: "{{ user }}"
    append: "yes"
  notify:
    - Restart nginx

# Ownership set to root so Postfix would not check if correct user owns the
# file.
- name: Set-up forwarding for mails delivered to local application user/admin
  ansible.builtin.template:
    src: "forward.j2"
    dest: "{{ home }}/.forward"
    owner: root
    group: "{{ user }}"
    mode: "0640"

- name: Install extra packages for website
  ansible.builtin.apt:
    name: "{{ packages }}"
    state: present

- name: Deploy PHP FPM configuration file for website
  ansible.builtin.template:
    src: "fpm_site.conf.j2"
    dest: "{{ php_fpm_pool_directory }}/{{ fqdn }}.conf"
    validate: "{{ php_fpm_binary }} -t -y %s"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart PHP-FPM

- name: Deploy nginx TLS private key for website
  ansible.builtin.copy:
    dest: "/etc/ssl/private/{{ fqdn }}_https.key"
    content: "{{ https_tls_key }}"
    owner: root
    group: root
    mode: "0640"
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate for website
  ansible.builtin.copy:
    dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    content: "{{ https_tls_certificate }}"
    owner: root
    group: root
    mode: "0644"
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  ansible.builtin.copy:
    content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
    owner: root
    group: root
    mode: "0644"

- name: Deploy nginx configuration file for website
  ansible.builtin.template:
    src: "nginx_site.j2"
    dest: "/etc/nginx/sites-available/{{ fqdn }}"
    owner: root
    group: root
    mode: "0640"
    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
  notify:
    - Restart nginx

- name: Enable website
  ansible.builtin.file:
    src: "/etc/nginx/sites-available/{{ fqdn }}"
    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
    state: link
  notify:
    - Restart nginx

- name: Explicitly run all handlers
  ansible.builtin.include_tasks: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers