---

- name: Configure backup patterns

  ansible.builtin.template:

    src: "backup_patterns.j2"

    dest: "/etc/duply/main/patterns/{{ backup_patterns_filename }}"

    owner: root

    group: root

    mode: "0600"

  notify:

    - Assemble Duply include patterns

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    owner: root

    group: root

    mode: "0700"

- name: Deploy crontab entry for running backups

  ansible.builtin.cron:

    name: backup

    cron_file: backup

    hour: "2"

    minute: "0"

    job: "/usr/bin/duply main pre_and_bkp && /usr/bin/duply main post_and_purge --force"

    state: present

    user: root

- name: Ensure the file with include patterns exists (but do not overwrite)

  ansible.builtin.copy:

    content: ""

    dest: /etc/duply/main/include

    force: false

    group: root

    owner: root

    mode: "0600"

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    owner: root

    group: root

    mode: "0644"

  notify:

    - Reload systemd

    - Restart backup SSH server

- name: Start and enable OpenSSH backup service

  ansible.builtin.service:

    name: "ssh-backup"

    state: started

    enabled: true

- name: Deploy firewall configuration for backup server

  ansible.builtin.template:

    src: "ferm_backup.conf.j2"

    dest: "/etc/ferm/conf.d/40-backup.conf"

    owner: root

    group: root

    mode: "0640"

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    system: true

    group: ansible

    shell: /bin/bash

- name: Set-up authorized key for the Ansible user

  ansible.posix.authorized_key:

    user: ansible

    key: "{{ ansible_key }}"

- name: Set-up password-less sudo for the ansible user

  ansible.builtin.copy:

    src: "ansible_sudo"

    dest: "/etc/sudoers.d/ansible"

    mode: "0640"

    owner: root

    group: root

- name: Revoke rights for Ansible user to log-in as root to server via ssh

  ansible.posix.authorized_key:

    user: root

    key: "{{ ansible_key }}"

    state: absent

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    state: present

  when: ntp_pools | length > 0

- name: Remove NTP packages

  ansible.builtin.apt:

    name:

      - ntpsec

      - ntpsec-ntpdate

    state: absent

    purge: true

  when: ntp_pools | length == 0

- name: Deploy NTP configuration

  ansible.builtin.template:

    src: "ntp.conf.j2"

    dest: "/etc/ntpsec/ntp.conf"

    owner: root

    group: root

    mode: "0644"

  when: ntp_pools | length > 0

  notify:

    - Restart NTP server

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: "Create database {{ db_name }}"

  community.mysql.mysql_db:

    name: "{{ db_name }}"

    state: present

    login_unix_socket: "/var/run/mysqld/mysqld.sock"

- name: "Create database user {{ db_name }}"

  community.mysql.mysql_user:

    name: "{{ db_name }}"

    password: "{{ db_password }}"

    priv: "{{ db_name }}.*:ALL"

    state: present

    login_unix_socket: "/var/run/mysqld/mysqld.sock"

    column_case_sensitive: true

- name: Enable backup

  when: enable_backup

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    name: mysql

    state: started

    enabled: true

- name: Set UTF-8 encoding as default for MariaDB

  ansible.builtin.template:

    src: "utf8.cnf.j2"

    dest: "/etc/mysql/mariadb.conf.d/90-utf8.cnf"

    owner: root

    group: root

    mode: "0644"

  register: mariadb_utf8_configuration

- name: Restart MariaDB in order to use UTF-8 as default character set  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   UTF-8 configuration must be applied immediatelly in order to ensure that

  #   subsequent tasks that create databases will end-up with correct (UTF-8)

  #   encoding. Otherwise they will be created using default latin1.

  ansible.builtin.service:

    name: mysql

    state: restarted

  when: mariadb_utf8_configuration.changed

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: Install OpenLDAP client tools

  ansible.builtin.apt:

    name: ldap-utils

    state: present

- name: Set-up LDAP client configuration directory

  ansible.builtin.file:

    path: /etc/ldap/

    state: directory

    owner: root

    group: root

    mode: "0755"

- name: Deploy LDAP client configuration file

  ansible.builtin.template:

    src: ldap.conf.j2

    dest: /etc/ldap/ldap.conf

    owner: root

    group: root

    mode: "0644"

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    mode: "0400"

  changed_when: false

- name: Test if LDAP admin password needs to be changed

  ansible.builtin.command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"

  register: ldap_admin_password_check

  changed_when: ldap_admin_password_check.rc != 0

  failed_when: false

- name: Update LDAP admin password

  community.general.ldap_attrs:

    dn: "olcDatabase={1}mdb,cn=config"

    attributes:

      olcRootPW: "{{ ldap_admin_password | ldap_password_hash }}"

    state: exact

  when: ldap_admin_password_check.rc != 0

- name: Remove temporary file with LDAP admin password

  ansible.builtin.file:

    path: "/root/.ldap_admin_password"

    state: absent

  changed_when: false

- name: Enable backup

  when: enable_backup

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}"

  when: "smtp_relay_host | length != 0"

- name: Normalise the SMTP relay host IPv6 addresses variable

  ansible.builtin.set_fact:

    smtp_relay_host_ipv6: "{{ smtp_relay_host_ipv6.stdout_lines | reject('equalto', '') | list }}"

  when: "smtp_relay_host | length != 0"

- name: Deploy firewall configuration for mail forwader

  ansible.builtin.template:

    src: "ferm_mail.conf.j2"

    dest: "/etc/ferm/conf.d/20-mail.conf"

    owner: root

    group: root

    mode: "0640"

  notify:

    - Restart ferm

- name: Install SWAKS

  ansible.builtin.apt:

    name: swaks

    state: present

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

- name: Enable and start Postfix service

  ansible.builtin.service:

    name: postfix

    state: started

    enabled: true

- name: Enable and start Dovecot service

  ansible.builtin.service:

    name: dovecot

    state: started

    enabled: true

- name: Deploy firewall configuration for mail server

  ansible.builtin.copy:

    src: "ferm_mail.conf"

    dest: "/etc/ferm/conf.d/20-mail.conf"

    owner: root

    group: root

    mode: "0640"

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    owner: root

    group: root

    mode: "0644"

- name: Deploy nginx configuration file for website

  ansible.builtin.template:

    src: "nginx_site.j2"

    dest: "/etc/nginx/sites-available/{{ fqdn }}"

    owner: root

    group: root

    mode: "0640"

    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"

  notify:

    - Restart nginx

- name: Enable website

  ansible.builtin.file:

    src: "/etc/nginx/sites-available/{{ fqdn }}"

    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"

    state: link

  notify:

    - Restart nginx

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: Create directory for storing preseed configurations

  ansible.builtin.file:

    path: "{{ preseed_directory }}"

    mode: "0750"

    state: directory

- name: Create preseed configuration file

  ansible.builtin.template:

    src: "preseed.cfg.j2"

    dest: "{{ preseed_directory }}/{{ item }}.cfg"

    mode: "0640"

  when: item != "localhost"

  with_items: "{{ groups['all'] }}"

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

  ansible.builtin.service:

    name: "{{ php_fpm_service_name }}"

    enabled: true

    state: started

- name: Read timezone on server

  ansible.builtin.slurp:

    src: "/etc/timezone"

  register: server_timezone

- name: Configure timezone for PHP

  ansible.builtin.template:

    src: "php_timezone.ini.j2"

    dest: "{{ item }}/30-timezone.ini"

    owner: root

    group: root

    mode: "0644"

  with_items:

    - "{{ php_base_config_dir }}/cli/conf.d/"

    - "{{ php_base_config_dir }}/fpm/conf.d/"

  notify:

    - Restart PHP-FPM

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

  ansible.builtin.set_fact:

    wsgi_services_to_restart: []

  when: "wsgi_services_to_restart is not defined"

  tags:

    - handlers

- name: Add service to list of WSGI services to restart  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   This specific task is used in order to work around inability of Ansible

  #   to provide properly parametrised handlers for reusable roles.

  ansible.builtin.set_fact:

    wsgi_services_to_restart: "{{ wsgi_services_to_restart + [fqdn] }}"

  when: |

    fqdn not in wsgi_services_to_restart and

    ((install_extra_packages is defined and install_extra_packages.changed) or

    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or

    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or

    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or

    (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or

    (run_handlers | default(False) | bool()))

  tags:

    - handlers

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    dest: "/etc/prosody/prosody.cfg.lua"

    owner: root

    group: prosody

    mode: "0640"

  notify:

    - Restart Prosody

- name: Enable and start Prosody service

  ansible.builtin.service:

    name: prosody

    state: started

    enabled: true

- name: Deploy firewall configuration for XMPP server

  ansible.builtin.copy:

    src: "ferm_xmpp.conf"

    dest: "/etc/ferm/conf.d/30-xmpp.conf"

    owner: root

    group: root

    mode: "0640"

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers