---

- name: Configure backup patterns

  template:

    src: "backup_patterns.j2"

    dest: "/etc/duply/main/patterns/{{ backup_patterns_filename }}"

    owner: root

    group: root

    mode: 0600

  notify:

    - Assemble Duply include patterns

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    owner: root

    group: root

    mode: 0600

- name: Deploy base exclude pattern (exclude all by default)

  copy:

    content: "- **"

    dest: "/etc/duply/main/exclude"

    owner: root

    group: root

    mode: 0600

- name: Set-up directory for storing pre-backup scripts

  file:

    path: "/etc/duply/main/pre.d/"

    state: directory

    owner: root

    group: root

    mode: 0700

- name: Set-up script for running all pre-backup scripts

  copy:

    src: "duply_pre"

    dest: "/etc/duply/main/pre"

    owner: root

    group: root

    mode: 0700

- name: Deploy crontab entry for running backups

  cron:

    name: backup

    cron_file: backup

    hour: "2"

    minute: "0"

    job: "/usr/bin/duply main pre_and_bkp && /usr/bin/duply main post_and_purge --force"

    state: present

    user: root

- name: Ensure the file with include patterns exists (but do not overwrite)

  copy:

    content: ""

    dest: /etc/duply/main/include

    force: false

    group: root

    owner: root

    mode: 0600

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    src: "backup-sshd_config"

    dest: "/etc/ssh-backup/sshd_config"

    owner: root

    group: root

    mode: 0600

  notify:

    - Restart backup SSH server

- name: Deploy the private keys for backup OpenSSH server instance

  template:

    src: "ssh_host_key.j2"

    dest: "/etc/ssh-backup/ssh_host_{{ item.key }}_key"

    owner: root

    group: root

    mode: 0600

  with_dict: "{{ backup_host_ssh_private_keys }}"

  notify:

    - Restart backup SSH server

  no_log: true

- name: Deploy backup OpenSSH server systemd service file

  copy:

    src: "ssh-backup.service"

    dest: "/etc/systemd/system/ssh-backup.service"

    owner: root

    group: root

    mode: 0644

  notify:

    - Reload systemd

    - Restart backup SSH server

- name: Start and enable OpenSSH backup service

  service:

    name: "ssh-backup"

    state: started

    enabled: true

- name: Deploy firewall configuration for backup server

  template:

    src: "ferm_backup.conf.j2"

    dest: "/etc/ferm/conf.d/40-backup.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: Install sudo

  apt:

    name: sudo

    state: present

- name: Set-up the Ansible group

  group:

    name: ansible

    system: true

- name: Set-up the Ansible user

  user:

    name: ansible

    system: true

    group: ansible

    shell: /bin/bash

- name: Set-up authorized key for the Ansible user

  authorized_key:

    user: ansible

    key: "{{ ansible_key }}"

- name: Set-up password-less sudo for the ansible user

  copy:

    src: "ansible_sudo"

    dest: "/etc/sudoers.d/ansible"

    mode: 0640

    owner: root

    group: root

- name: Revoke rights for Ansible user to log-in as root to server via ssh

  authorized_key:

    user: root

    key: "{{ ansible_key }}"

    state: absent

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

  register: pipreqcheck_pip_sync

  changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"

- name: Deploy script for checking available upgrades

  copy:

    src: "pip_check_requirements_upgrades.sh"

    dest: "/usr/local/bin/pip_check_requirements_upgrades.sh"

    owner: root

    group: root

    mode: 0755

- name: Deploy crontab entry for checking pip requirements

  copy:

    src: "cron_check_pip_requirements"

    dest: "/etc/cron.d/check_pip_requirements"

    owner: root

    group: root

    mode: 0644

- name: Install NTP packages

  apt:

    name:

      - ntpsec

      - ntpsec-ntpdate

    state: present

  when: ntp_pools | length > 0

- name: Remove NTP packages

  apt:

    name:

      - ntpsec

      - ntpsec-ntpdate

    state: absent

    purge: true

  when: ntp_pools | length == 0

- name: Deploy NTP configuration

  template:

    src: "ntp.conf.j2"

    dest: "/etc/ntpsec/ntp.conf"

    owner: root

    group: root

    mode: 0644

  when: ntp_pools | length > 0

  notify:

    - Restart NTP server

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: "Create database {{ db_name }}"

  mysql_db:

    name: "{{ db_name }}"

    state: present

    login_unix_socket: "/var/run/mysqld/mysqld.sock"

- name: "Create database user {{ db_name }}"

  mysql_user:

    name: "{{ db_name }}"

    password: "{{ db_password }}"

    priv: "{{ db_name }}.*:ALL"

    state: present

    login_unix_socket: "/var/run/mysqld/mysqld.sock"

- name: Enable backup

  when: enable_backup

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: Install MariaDB

  apt:

    name:

      - mariadb-client

      - mariadb-server

      - python3-pymysql

    state: present

- name: Enable and start MariaDB

  service:

    name: mysql

    state: started

    enabled: true

- name: Set UTF-8 encoding as default for MariaDB

  template:

    src: "utf8.cnf.j2"

    dest: "/etc/mysql/mariadb.conf.d/90-utf8.cnf"

    owner: root

    group: root

    mode: 0644

  register: mariadb_utf8_configuration

- name: Restart MariaDB in order to use UTF-8 as default character set  # noqa 503

  # [503] Tasks that run when changed should likely be handlers

  #   UTF-8 configuration must be applied immediatelly in order to ensure that

  #   subsequent tasks that create databases will end-up with correct (UTF-8)

  #   encoding. Otherwise they will be created using default latin1.

  service:

    name: mysql

    state: restarted

  when: mariadb_utf8_configuration.changed

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: Install OpenLDAP client tools

  apt:

    name: ldap-utils

    state: present

- name: Set-up LDAP client configuration directory

  file:

    path: /etc/ldap/

    state: directory

    owner: root

    group: root

    mode: 0755

- name: Deploy LDAP client configuration file

  template:

    src: ldap.conf.j2

    dest: /etc/ldap/ldap.conf

    owner: root

    group: root

    mode: 0644

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    objectClass: "{{ item.attributes.objectClass }}"

    attributes: "{{ item.attributes }}"

    state: "{{ item.state | default('present') }}"

  with_items: "{{ ldap_entries }}"

- name: Deploy firewall configuration for LDAP

  copy:

    src: "ferm_ldap.conf"

    dest: "/etc/ferm/conf.d/10-ldap.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

# @TODO: This whole thing could be dropped if newer version of Ansible

#        was in use (where community collection has the ldap_search

#        module.

- name: Deploy temporary file with LDAP admin password

  template:

    src: "ldap_admin_password.j2"

    dest: "/root/.ldap_admin_password"

    owner: root

    group: root

    mode: 0400

  changed_when: false

- name: Test if LDAP admin password needs to be changed

  command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"

  register: ldap_admin_password_check

  changed_when: ldap_admin_password_check.rc != 0

  failed_when: false

- name: Update LDAP admin password

  ldap_attr:

    dn: "olcDatabase={1}mdb,cn=config"

    name: olcRootPW

    values: "{{ ldap_admin_password | ldap_password_hash }}"

    state: exact

  when: ldap_admin_password_check.rc != 0

- name: Remove temporary file with LDAP admin password

  file:

    path: "/root/.ldap_admin_password"

    state: absent

  changed_when: false

- name: Enable backup

  when: enable_backup

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

- name: Retrieve IPv4 addresses of SMTP relay host

  shell: "getent ahostsv4 '{{ smtp_relay_host }}' | awk '{ print $1 }' | sort -u"  # noqa 306

  # [306] Shells that use pipes should set the pipefail option

  #   The getent ahostsv4 command has non-zero exit code if the

  #   supplies name cannot be resolved. However, that is a valid

  #   use-case for extracting this information. It effectively means

  #   that no IPv4 firewall rules will be deployed for allowing

  #   incoming connections from the SMTP relay host.

  changed_when: false

  register: smtp_relay_host_ipv4

- name: Retrieve IPv6 addresses of SMTP relay host

  shell: "getent ahostsv6 '{{ smtp_relay_host }}' | awk '{ print $1 }' | grep -v '^::ffff:' | sort -u"  # noqa 306

  # [306] Shells that use pipes should set the pipefail option

  #   The getent ahostsv6 command has non-zero exit code if the

  #   supplies name cannot be resolved. However, that is a valid

  #   use-case for extracting this information. It effectively means

  #   that no IPv6 firewall rules will be deployed for allowing

  #   incoming connections from the SMTP relay host.

  changed_when: false

  register: smtp_relay_host_ipv6

- name: Normalise the SMTP relay host IPv4 addresses variable

  set_fact:

    smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}"

  when: "smtp_relay_host | length != 0"

- name: Normalise the SMTP relay host IPv6 addresses variable

  set_fact:

    smtp_relay_host_ipv6: "{{ smtp_relay_host_ipv6.stdout_lines | reject('equalto', '') | list }}"

  when: "smtp_relay_host | length != 0"

- name: Deploy firewall configuration for mail forwader

  template:

    src: "ferm_mail.conf.j2"

    dest: "/etc/ferm/conf.d/20-mail.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Install SWAKS

  apt:

    name: swaks

    state: present

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    - /var/lib/clamav/main.cld

  register: clamav_db_files

- name: Wait for ClamAV database to be available (up to 10 minutes)

  when: not item.stat.exists

  with_items: "{{ clamav_db_files.results }}"

  wait_for:

    path: "{{ item.item | replace('.cld', '.cvd') }}"

    timeout: 600

- name: Enable and start ClamAV daemon and milter services

  service:

    name: "{{ item }}"

    state: started

    enabled: true

  with_items:

    - clamav-daemon

    - clamav-milter

# It may take ClamAV a while to read all the necessary database files etc.

- name: Wait for ClamAV to become available (up to 5 minutes)

  wait_for:

    path: "/var/run/clamav/clamd.ctl"

    timeout: 300

- name: Enable and start Postfix service

  service:

    name: postfix

    state: started

    enabled: true

- name: Enable and start Dovecot service

  service:

    name: dovecot

    state: started

    enabled: true

- name: Deploy firewall configuration for mail server

  copy:

    src: "ferm_mail.conf"

    dest: "/etc/ferm/conf.d/20-mail.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

- name: Deploy nginx TLS private key for website

  copy:

    dest: "/etc/ssl/private/{{ fqdn }}_https.key"

    content: "{{ https_tls_key }}"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart nginx

- name: Deploy nginx TLS certificate for website

  copy:

    dest: "/etc/ssl/certs/{{ fqdn }}_https.pem"

    content: "{{ https_tls_certificate }}"

    owner: root

    group: root

    mode: 0644

  notify:

    - Restart nginx

- name: Deploy configuration file for checking certificate validity via cron

  copy:

    content: "/etc/ssl/certs/{{ fqdn }}_https.pem"

    dest: "/etc/check_certificate/{{ fqdn }}_https.conf"

    owner: root

    group: root

    mode: 0644

- name: Deploy nginx configuration file for website

  template:

    src: "nginx_site.j2"

    dest: "/etc/nginx/sites-available/{{ fqdn }}"

    owner: root

    group: root

    mode: 0640

    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"

  notify:

    - Restart nginx

- name: Enable website

  file:

    src: "/etc/nginx/sites-available/{{ fqdn }}"

    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"

    state: link

  notify:

    - Restart nginx

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

---

- name: Create directory for storing preseed configurations

  file:

    path: "{{ preseed_directory }}"

    mode: 0750

    state: directory

- name: Create preseed configuration file

  template:

    src: "preseed.cfg.j2"

    dest: "{{ preseed_directory }}/{{ item }}.cfg"

    mode: 0640

  when: item != "localhost"

  with_items: "{{ groups['all'] }}"

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

      tmpfiles_d: "wsgi.conf"

    - socket_dir: php

      tmpfiles_d: "{{ php_fpm_service_name }}.conf"

- name: Create directory for storing PHP-FPM service configuration overrides

  file:

    path: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/"

    state: directory

    owner: root

    group: root

    mode: 0755

- name: Configure PHP-FPM service to run with umask 0007

  copy:

    src: "php_fpm_umask.conf"

    dest: "/etc/systemd/system/{{ php_fpm_service_name }}.service.d/umask.conf"

    owner: root

    group: root

    mode: 0644

  notify:

    - Reload systemd

    - Restart PHP-FPM

- name: Enable service used for running PHP web applications

  service:

    name: "{{ php_fpm_service_name }}"

    enabled: true

    state: started

- name: Read timezone on server

  slurp:

    src: "/etc/timezone"

  register: server_timezone

- name: Configure timezone for PHP

  template:

    src: "php_timezone.ini.j2"

    dest: "{{ item }}/30-timezone.ini"

    owner: root

    group: root

    mode: 0644

  with_items:

    - "{{ php_base_config_dir }}/cli/conf.d/"

    - "{{ php_base_config_dir }}/fpm/conf.d/"

  notify:

    - Restart PHP-FPM

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    owner: root

    group: root

    mode: 0644

- name: Deploy nginx configuration file for website

  template:

    src: "nginx_site.j2"

    dest: "/etc/nginx/sites-available/{{ fqdn }}"

    owner: root

    group: root

    mode: 0640

    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"

  notify:

    - Restart nginx

- name: Enable nginx website

  file:

    src: "/etc/nginx/sites-available/{{ fqdn }}"

    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"

    state: link

  notify:

    - Restart nginx

- name: Set-up empty list of WSGI services to restart

  set_fact:

    wsgi_services_to_restart: []

  when: "wsgi_services_to_restart is not defined"

  tags:

    - handlers

- name: Add service to list of WSGI services to restart  # noqa 503

  # [503] Tasks that run when changed should likely be handlers

  #   This specific task is used in order to work around inability of Ansible

  #   to provide properly parametrised handlers for reusable roles.

  set_fact:

    wsgi_services_to_restart: "{{ wsgi_services_to_restart + [ fqdn ] }}"

  when: |

    fqdn not in wsgi_services_to_restart and

    ((install_extra_packages is defined and install_extra_packages.changed) or

    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or

    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or

    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or

    (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or

    (run_handlers | default(False) | bool()))

  tags:

    - handlers

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

    group: root

    mode: 0755

- name: Set-up crontab task that runs the Prosody certificate checker script once a day

  copy:

    src: "cron_check_prosody_certificate"

    dest: "/etc/cron.d/check_prosody_certificate"

    owner: root

    group: root

    mode: 0644

- name: Deploy LDAP client configuration (for validating LDAP server certificate)

  copy:

    src: prosody_ldaprc

    dest: "/var/lib/prosody/.ldaprc"

    owner: root

    group: prosody

    mode: 0640

  notify:

    - Restart Prosody

- name: Deploy Prosody configuration file

  template:

    src: "prosody.cfg.lua.j2"

    dest: "/etc/prosody/prosody.cfg.lua"

    owner: root

    group: prosody

    mode: 0640

  notify:

    - Restart Prosody

- name: Enable and start Prosody service

  service:

    name: prosody

    state: started

    enabled: true

- name: Deploy firewall configuration for XMPP server

  copy:

    src: "ferm_xmpp.conf"

    dest: "/etc/ferm/conf.d/30-xmpp.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers