---

- name: Create PHP website group
  group:
    name: "{{ user }}"
    gid: "{{ uid | default(omit) }}"
    state: present

- name: Create PHP website admin user
  user:
    name: "{{ admin }}"
    uid: "{{ admin_uid | default(omit) }}"
    group: "{{ user }}"
    shell: /bin/bash
    createhome: true
    home: "{{ home }}"
    state: present

- name: Set-up directory for storing user profile configuration files
  file:
    path: "{{ home }}/.profile.d"
    state: directory
    owner: "{{ admin }}"
    group: "{{ user }}"
    mode: 0750

- name: Create PHP website user
  user:
    name: "{{ user }}"
    uid: "{{ uid | default(omit) }}"
    group: "{{ user }}"
    comment: "umask=0007"
    system: true
    createhome: false
    state: present
    home: "{{ home }}"
    # This is a workaround for a rather stupid bug that Debian seems
    # uninterested to backport -
    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865762
    shell: /bin/sh

- name: Add nginx user to website group
  user:
    name: "www-data"
    groups: "{{ user }}"
    append: "yes"
  notify:
    - Restart nginx

# Ownership set to root so Postfix would not check if correct user owns the
# file.
- name: Set-up forwarding for mails delivered to local application user/admin
  template:
    src: "forward.j2"
    dest: "{{ home }}/.forward"
    owner: root
    group: "{{ user }}"
    mode: 0640

- name: Install extra packages for website
  apt:
    name: "{{ item }}"
    state: present
  with_items: "{{ packages }}"

- name: Set-up MariaDB mysql_config symbolic link for compatibility on Jessie (workaround for Debian bug 766996)
  file:
    src: "/usr/bin/mariadb_config"
    dest: "/usr/bin/mysql_config"
    state: link
  when: "'libmariadb-client-lgpl-dev-compat' in packages and ansible_distribution_release == 'jessie'"

- name: Deploy PHP FPM configuration file for website
  template:
    src: "fpm_site.conf.j2"
    dest: "{{ php_fpm_pool_directory }}/{{ fqdn }}.conf"
    validate: "{{ php_fpm_binary }} -t -y %s"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart PHP-FPM

- name: Deploy nginx TLS private key for website
  copy:
    dest: "/etc/ssl/private/{{ fqdn }}_https.key"
    content: "{{ https_tls_key }}"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart nginx

- name: Deploy nginx TLS certificate for website
  copy:
    dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    content: "{{ https_tls_certificate }}"
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ fqdn }}_https.pem"
    dest: "/etc/check_certificate/{{ fqdn }}_https.conf"
    owner: root
    group: root
    mode: 0644

- name: Deploy nginx configuration file for website
  template:
    src: "nginx_site.j2"
    dest: "/etc/nginx/sites-available/{{ fqdn }}"
    owner: root
    group: root
    mode: 0640
    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
  notify:
    - Restart nginx

- name: Enable website
  file:
    src: "/etc/nginx/sites-available/{{ fqdn }}"
    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"
    state: link
  notify:
    - Restart nginx

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers