# @TODO: Can't use file module, since one of the files (GnuPG socket)

#        seems to disappear in middle of operation).

- name: Remove current keyring  # noqa no-changed-when

  # [no-changed-when] Commands should not change things if nothing needs doing

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "rm -rf /etc/duply/main/gnupg"

- name: Create keyring directory

  file:

    path: "/etc/duply/main/gnupg"

    state: directory

    owner: root

    group: root

    mode: 0700

- name: Import private keys  # noqa no-changed-when

  # [no-changed-when] Commands should not change things if nothing needs doing

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"

  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"

  when: backup_additional_encryption_keys | length > 0

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        192.168.56.3: client1

        192.168.56.4: client2

    - name: Load legacy iptables to test their removal

      modprobe:

        name: "{{ item }}"

        state: present

      with_items:

        - iptable_filter

        - iptable_nat

        - iptable_mangle

        - iptable_security

        - iptable_raw

        - ip6table_filter

        - ip6table_nat

        - ip6table_mangle

        - ip6table_security

        - ip6table_raw

      command: "iptables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"

      with_items:

        - filter

        - nat

        - mangle

        - security

        - raw

      command: "ip6tables-legacy -t '{{ item }}' -N '{{ (ansible_date_time.iso8601_micro | to_uuid)[:28] }}'"

      with_items:

        - filter

        - nat

        - mangle

        - security

        - raw

    - name: Create deprecated directory for storing requirements files created using Python 3 (pip requirements upgrade checks)

      file:

        path: "/etc/pip_check_requirements_upgrades-py3"

        state: directory

        owner: root

        group: root

        mode: 0750

    - name: Create deprecated directory for Python 3 virtual environment (pip requirements upgrade checks)

      file:

        path: "/var/lib/pipreqcheck/virtualenv-py3/"

        state: directory

        owner: root

        group: root

        mode: 0750

  file:

    path: "/etc/apt/apt.conf.d/00proxy"

    state: absent

  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask

  copy:

    src: "pam_umask"

    dest: "/usr/share/pam-configs/umask"

    owner: root

    group: root

    mode: 0644

  register: pam_umask

  notify:

    - Update PAM configuration

- name: Update PAM configuration  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   In order to have consistent behaviour during the first and

  #   subsequent playbook runs, make sure the PAM configuration is

  #   updated immediatelly. This way any files created by commands etc

  #   should end-up with correct permissions straight away.

  command: "/usr/sbin/pam-auth-update --package"

  when: pam_umask.changed

- name: Set login UMASK

  lineinfile:

    dest: "/etc/login.defs"

    state: present

    backrefs: true

    regexp: '^UMASK(\s+)'

    line: 'UMASK\g<1>027'

- name: Set home directory mask

  lineinfile:

    dest: "/etc/adduser.conf"

    state: present

    backrefs: true

    regexp: '^\s*#?\s*DIR_MODE='

    line: 'DIR_MODE=0750'

- name: Deploy bash profile configuration for fancier prompts

  template:

    src: "bash_prompt.sh.j2"

    dest: "/etc/profile.d/bash_prompt.sh"

    owner: root

    group: root

    mode: 0644

    dest: "/etc/ssh/sshd_config"

    state: present

    regexp: "^PasswordAuthentication"

    line: "PasswordAuthentication no"

  notify:

    - Restart SSH

- name: Deploy CA certificates

  copy:

    content: "{{ item.value }}"

    dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"

    owner: root

    group: root

    mode: 0644

  with_dict: "{{ ca_certificates }}"

  register: deploy_ca_certificates_result

- name: Update CA certificate cache  # noqa no-handler

  # [no-handler] Tasks that run when changed should likely be handlers

  #   CA certificate cache must be updated immediatelly in order for

  #   applications depending on deployed CA certificates can use them to

  #   validate server/client certificates.

  command: "/usr/sbin/update-ca-certificates --fresh"

  when: deploy_ca_certificates_result.changed

- name: Set-up file diversions for custom files that overrride package-provided ones

  command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"

  register: "dpkg_divert"

  changed_when: "'Adding' in dpkg_divert.stdout"

  with_items:

    - "/usr/sbin/ferm"

  notify:

    - Restart ferm

- name: Deploy the patched ferm binary that disables use of legacy iptables

  copy:

    src: ferm_binary

    dest: /usr/sbin/ferm

    owner: root

    group: root

    mode: 0755

  notify:

    - Restart ferm

- name: Install ferm (for firewall management)

  apt:

    name: ferm

    state: present

  notify:

    - Restart slapd

- name: Enable and start slapd service

  service:

    name: slapd

    state: started

    enabled: true

- name: Change log level for slapd

  ldap_attr:

    dn: cn=config

    state: exact

    name: olcLogLevel

    values: "{{ ldap_server_log_level }}"

- name: Test if LDAP misc schema has been applied

  command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"

  register: ldap_misc_schema_present

  changed_when: false

- name: Deploy LDAP misc schema

  command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"

  when: not ldap_misc_schema_present.stdout

# Technically, the only thing this does is pick the size of DH

# parameters to use, with GnuTLS (against which slapd is linked

# against under Debian) picking a matching DH parameter from RFC-7919

# (https://www.ietf.org/rfc/rfc7919.txt).

- name: Generate the LDAP server Diffie-Hellman parameter

  openssl_dhparam:

    owner: root

    group: openldap

    mode: 0640

    path: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"

    size: 2048

  notify:

    - Restart slapd

- name: Deploy LDAP TLS private key

  template:

    src: "ldap_tls_key.j2"

    dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"

    mode: 0640

    owner: root

    group: openldap

  notify:

    - Restart slapd

  tasks:

    - name: Install SWAKS for testing SMTP capability

      apt:

        name: swaks

        state: present

    - name: Install tool for testing TCP connectivity

      apt:

        name: hping3

        state: present

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

- name: Prepare, helpers

  hosts: mail-servers

  become: true

  tasks:

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

    - name: Deploy SMTP private key and certificate

      copy:

        src: "tests/data/x509/server/{{ item }}"

        dest: "/etc/ssl/{{ item }}"

        owner: root

        group: root

        mode: 0600

        src: tests/data/main.cf

        dest: /etc/postfix/main.cf

        owner: root

        group: root

        mode: 0644

      notify:

        - Restart Postfix

    - name: Install tool for testing TCP connectivity

      apt:

        name: hping3

        state: present

    - name: Install SWAKS for testing SMTP capability

      apt:

        name: swaks

        state: present

    - name: Set-up port forwarding

      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport 27 -j REDIRECT --to-ports 25"

      changed_when: false

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

- name: Prepare, test fixtures

  hosts: parameters-optional

  become: true

  tasks:

    - name: Create additional group for testing local aliases

      group:

        name: testuser

    - name: Create additional user for testing local aliases

      user:

        name: testuser

        group: testuser

        owner: vagrant

        group: vagrant

        mode: 0644

    - name: Install requirements in the pipreqcheck virtual environment

      become: true

      become_user: vagrant

      pip:

        requirements: /var/lib/cvdupdate/requirements.txt

        virtualenv: /var/lib/cvdupdate

    - name: Allow traversal of Vagrant directory by the http server user

      file:

        path: /vagrant/

        mode: 0711

    - name: Create directory for storing ClamAV database files

      file:

        path: /vagrant/clamav-database

        state: directory

        owner: vagrant

        group: vagrant

        mode: 0755

      become: true

      become_user: vagrant

      command: "/var/lib/cvdupdate/bin/cvd config set --dbdir /vagrant/clamav-database/"

      become: true

      become_user: vagrant

      command: "/var/lib/cvdupdate/bin/cvd update"

    - name: Allow all users to read ClamAV database files

      file:

        path: "/vagrant/clamav-database/"

        mode: "g=u-w,o=u-w"

        recurse: true

    - name: Deploy nginx TLS private key

      copy:

        dest: "/etc/ssl/private/nginx_https.key"

        content: "{{ clamav_database_http_server_tls_key }}"

        mode: 0640

        owner: root

        group: root

      notify:

        - Restart nginx

    - name: Deploy nginx TLS certificate

      copy:

        dest: "/etc/ssl/certs/nginx_https.pem"

        content: "{{ clamav_database_http_server_tls_certificate }}"

        - name: Purge Exim

          apt:

            name: "exim4*"

            state: absent

            purge: true

        - name: Configure Postfix

          template:

            src: "helper_smtp_main.cf.j2"

            dest: "/etc/postfix/main.cf"

            owner: root

            group: root

            mode: 0644

          notify:

            - Restart Postfix

        - name: Enable Postfix service

          service:

            name: postfix

            state: started

            enabled: true

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

- name: Prepare, helpers

  hosts: ldap-server

  become: true

  roles:

    - ldap_server

    - backup_server

- name: Prepare, test fixtures

  hosts: ldap-server

  become: true

  tasks:

    - name: Create LDAP accounts for testing

      ldap_entry:

        dn: "{{ item.dn }}"

        objectClass: "{{ item.objectClass }}"

        attributes: "{{ item.attributes }}"

      with_items:

        regexp: "^root"

        line: "root: vagrant"

        state: present

      notify:

        - Generate aliases database

    - name: Set-up group for an additional user

      group:

        name: user

        state: present

    - name: Set-up additional user for testing mail delivery

      user:

        name: user

        group: user

        shell: /bin/bash

  handlers:

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

      command: "/usr/bin/newaliases"

  tasks:

    - name: Install tool for testing TCP connectivity

      apt:

        name: hping3

        state: present

    - name: Install console-based web browser for interactive testing

      apt:

        name: lynx

        state: present

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

        regexp: "^root"

        line: "root: vagrant"

        state: present

      notify:

        - Generate aliases database

    - name: Set-up group for an additional user

      group:

        name: user

        state: present

    - name: Set-up additional user for testing mail delivery

      user:

        name: user

        group: user

        shell: /bin/bash

  handlers:

    - name: Restart Postfix

      service:

        name: postfix

        state: restarted

      command: "/usr/bin/newaliases"

      with_items:

        - jid: john.doe@domain1

          password: johnpassword

          server: domain1

          security: tls

          nickname: john.doe

        - jid: jane.doe@domain2

          password: janepassword

          server: domain2

          security: ssl

          nickname: jane.doe

        - jid: mick.doe@domain3

          password: mickpassword

          server: domain3

          security: tls

          nickname: mick.doe

        - jid: noxmpp@domain1

          password: noxmpppassword

          server: domain1

          security: tls

          nickname: noxmpp

  handlers:

      command: /usr/sbin/update-ca-certificates --fresh

- name: Prepare, helpers

  hosts: ldap-server

  become: true

  roles:

    - ldap_server

    - backup_server

- name: Prepare, test fixtures

  hosts: ldap-server

  become: true

  tasks:

    - name: Create LDAP accounts for testing

      ldap_entry:

        dn: "{{ item.dn }}"

        objectClass: "{{ item.objectClass }}"

        attributes: "{{ item.attributes }}"

      with_items:

        - dn: uid=john,ou=people,dc=local

          objectClass:

            - inetOrgPerson

            - simpleSecurityObject

          attributes: