---

# @TODO: Can't use file module, since one of the files (GnuPG socket)

#        seems to disappear in middle of operation).

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "rm -rf /etc/duply/main/gnupg"

- name: Create keyring directory

  file:

    path: "/etc/duply/main/gnupg"

    state: directory

    owner: root

    group: root

    mode: 0700

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/private_keys.asc"

- name: Import public keys

  command: "gpg --no-tty --homedir /etc/duply/main/gnupg --import /etc/duply/main/public_keys.asc"

  when: backup_additional_encryption_keys | length > 0

---

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "/usr/sbin/pam-auth-update --package"

- name: Restart SSH

  service:

    name: ssh

    state: restarted

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "/usr/sbin/update-ca-certificates --fresh"

- name: Restart ferm

  service:

    name: ferm

    state: restarted

- name: Reload systemd

  systemd:

- name: Deploy pam-auth-update configuration file for enabling pam_umask

  copy:

    src: "pam_umask"

    dest: "/usr/share/pam-configs/umask"

    owner: root

    group: root

    mode: 0644

  register: pam_umask

  notify:

    - Update PAM configuration

  #   In order to have consistent behaviour during the first and

  #   subsequent playbook runs, make sure the PAM configuration is

  #   updated immediatelly. This way any files created by commands etc

  #   should end-up with correct permissions straight away.

  command: "/usr/sbin/pam-auth-update --package"

  when: pam_umask.changed

- name: Set login UMASK

  lineinfile:

    dest: "/etc/login.defs"

    state: present

    backrefs: true

    - Restart SSH

- name: Deploy CA certificates

  copy:

    content: "{{ item.value }}"

    dest: "/usr/local/share/ca-certificates/{{ item.key }}.crt"

    owner: root

    group: root

    mode: 0644

  with_dict: "{{ ca_certificates }}"

  register: deploy_ca_certificates_result

  #   CA certificate cache must be updated immediatelly in order for

  #   applications depending on deployed CA certificates can use them to

  #   validate server/client certificates.

  command: "/usr/sbin/update-ca-certificates --fresh"

  when: deploy_ca_certificates_result.changed

- name: Set-up file diversions for custom files that overrride package-provided ones

  command: "dpkg-divert --divert '{{ item }}.original' --rename '{{ item }}'"

  register: "dpkg_divert"

  changed_when: "'Adding' in dpkg_divert.stdout"

  with_items:

    - "/usr/sbin/ferm"

    state: started

    enabled: true

- name: Set UTF-8 encoding as default for MariaDB

  template:

    src: "utf8.cnf.j2"

    dest: "/etc/mysql/mariadb.conf.d/90-utf8.cnf"

    owner: root

    group: root

    mode: 0644

  register: mariadb_utf8_configuration

  #   UTF-8 configuration must be applied immediatelly in order to ensure that

  #   subsequent tasks that create databases will end-up with correct (UTF-8)

  #   encoding. Otherwise they will be created using default latin1.

  service:

    name: mysql

    state: restarted

  when: mariadb_utf8_configuration.changed

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

  tags:

- name: Install slapd

  apt:

    name: slapd

    state: present

- name: Allow OpenLDAP user to traverse the directory with TLS private keys

  user:

    name: openldap

    append: true

    groups: ssl-cert

  register: openldap_in_ssl_cert

  #   In order to be able to change LDAP server TLS configuration, it must be

  #   able to read both the private key and certificate. Therefore we need to

  #   immediatelly restart (since configuration is done live on the server.

  service:

    name: slapd

    state: restarted

  when: openldap_in_ssl_cert.changed

- name: Install Python LDAP bindings

  apt:

    name: python3-pyldap

    state: present

---

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: "/usr/bin/newaliases"

- name: Restart Postfix

  service:

    name: postfix

    state: restarted

    state: present

  with_dict: "{{ local_mail_aliases }}"

  notify:

    - Rebuild mail aliases

- name: Enable and start postfix service

  service:

    name: postfix

    state: started

    enabled: true

- name: Retrieve IPv4 addresses of SMTP relay host

  #   The getent ahostsv4 command has non-zero exit code if the

  #   supplies name cannot be resolved. However, that is a valid

  #   use-case for extracting this information. It effectively means

  #   that no IPv4 firewall rules will be deployed for allowing

  #   incoming connections from the SMTP relay host.

  changed_when: false

  register: smtp_relay_host_ipv4

- name: Retrieve IPv6 addresses of SMTP relay host

  #   The getent ahostsv6 command has non-zero exit code if the

  #   supplies name cannot be resolved. However, that is a valid

  #   use-case for extracting this information. It effectively means

  #   that no IPv6 firewall rules will be deployed for allowing

  #   incoming connections from the SMTP relay host.

  changed_when: false

  register: smtp_relay_host_ipv6

- name: Normalise the SMTP relay host IPv4 addresses variable

  set_fact:

    smtp_relay_host_ipv4: "{{ smtp_relay_host_ipv4.stdout_lines | reject('equalto', '') | list }}"

  when: "smtp_relay_host | length != 0"

    state: restarted

- name: Restart Dovecot

  service:

    name: dovecot

    state: restarted

- name: Restart ClamAV Milter

  service:

    name: clamav-milter

    state: restarted

  #   This task is invoked only if user is very specific about requiring to

  #   run the handlers manually as a way to bring the system to consistency

  #   after interrupted runs.

  command: /usr/bin/newaliases

    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"

    state: link

  notify:

    - Restart nginx

- name: Set-up empty list of WSGI services to restart

  set_fact:

    wsgi_services_to_restart: []

  when: "wsgi_services_to_restart is not defined"

  tags:

    - handlers

  #   This specific task is used in order to work around inability of Ansible

  #   to provide properly parametrised handlers for reusable roles.

  set_fact:

    wsgi_services_to_restart: "{{ wsgi_services_to_restart + [fqdn] }}"

  when: |

    fqdn not in wsgi_services_to_restart and

    ((install_extra_packages is defined and install_extra_packages.changed) or

    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or

    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or

    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or

    (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or

    (run_handlers | default(False) | bool()))

# Main implementation

# ===================

- name: Set-up the Debian backports repository

  template:

    src: backports.list.j2

    dest: /etc/apt/sources.list.d/backports.list

    owner: root

    group: root

    mode: 0644

  register: backports_repository_configuration

  #   Since apt_repository module is not reliable (does not deploy

  #   change when changing distro version etc), we have to use

  #   template instead, but this also means we need to trigger the apt

  #   cache reload by hand.

  apt:

    update_cache: true

  when: backports_repository_configuration.changed

- name: Install additional Prosody dependencies

  apt:

    name:

      - lua-ldap