mode: 0600

  notify:

    - Assemble Duply include patterns

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

  notify:

    - Clean-up GnuPG keyring for import of new keys

    - Import private keys

    - Import public keys

- name: Extract encryption key identifier (Duplicty requires key ID in hexadecimal format)

    head -n1 | sed -e 's/.*: //' | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//'"

  register: backup_encryption_key_id

  changed_when: false

- name: Extract additional encryption keys identifiers (Duplicty requires key ID in hexadecimal format)

    sed -e 's/.*: //' | sort -u | sed -re 's/^.{{ '{' + gnupg_key_cutoff + '}' }}//' | tr '\n' ',' | sed -e 's/,$//'"

  when: backup_additional_encryption_keys

  register: backup_additional_encryption_keys_ids

  changed_when: false

- name: Deploy private SSH key for logging-in into backup server

  copy:

    content: "{{ backup_ssh_key }}"

    dest: "/etc/duply/main/ssh/identity"

    owner: root

    group: root

    owner: root

    mode: 0600

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

    user: root

    key: "{{ ansible_key }}"

    state: absent

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

  notify:

    - Restart ferm

- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)

  command: "rcconf -on ferm"

  register: result

- name: Enable ferm service

  service:

    name: ferm

    state: started

  when: ntp_servers

  notify:

    - Restart NTP server

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

- name: Enable backup

  include: backup.yml

  when: enable_backup

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

      - python-mysqldb

    state: present

- name: Enable MariaDB service on boot (workaround for systemctl broken handling of SysV)

  command: rcconf -on mysql

  register: result

- name: Enable and start MariaDB

  service:

    name: mysql

    state: started

  when: "ansible_distribution_release == 'stretch'"

  register: "root_using_unix_socket_authentication"

  changed_when: false

- name: Disable use of unix socket login on Debian Stretch (temporary workaround)

  command: "mysql -B -e \"update mysql.user set plugin='' where user='root' and plugin='unix_socket'; flush privileges;\""

- name: Remove UTF-8 encoding configuration file from the old location on Debian Stretch

  file:

    path: "/etc/mysql/conf.d/utf8.cnf"

    state: absent

  when: "ansible_distribution_release == 'stretch'"

    #   subsequent tasks that create databases will end-up with correct (UTF-8)

    #   encoding. Otherwise they will be created using default latin1.

    - skip_ansible_lint

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

    owner: root

    group: root

    mode: 0644

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

  notify:

    - Restart slapd

- name: Enable slapd service on boot (workaround for systemctl broken handling of SysV)

  command: "rcconf -on slapd"

  register: result

- name: Enable slapd service

  service:

    name: slapd

    state: started

  command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"

  register: ldap_misc_schema_present

  changed_when: false

- name: Deploy LDAP misc schema

  command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"

- name: Deploy LDAP TLS private key

  template:

    src: "ldap_tls_key.j2"

    dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"

    mode: 0640

- name: Create user-supplied LDAP entries

  ldap_entry:

    dn: "{{ item.dn }}"

    objectClass: "{{ item.attributes.objectClass }}"

    attributes: "{{ item.attributes }}"

  with_items: "{{ ldap_entries }}"

- name: Deploy firewall configuration for LDAP

  copy:

    src: "ferm_ldap.conf"

    dest: "/etc/ferm/conf.d/10-ldap.conf"

- name: Enable backup

  include: backup.yml

  when: enable_backup

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

  apt:

    name: swaks

    state: present

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

    mode: 0640

  when: item != "localhost"

  with_items: "{{ groups['all'] }}"

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

    - "{{ php_base_config_dir }}/fpm/conf.d/"

  notify:

    - Restart PHP-FPM

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers

  notify:

    - Restart Prosody

- name: Enable Prosody service on boot (workaround for systemctl broken handling of SysV)

  command: "rcconf -on prosody"

  register: result

- name: Enable and start Prosody service

  service:

    name: prosody

    state: started

    mode: 0640

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  tags:

    - handlers