---

- name: Enable use of proxy for retrieving system packages via apt
  template: src="apt_proxy.j2" dest="/etc/apt/apt.conf.d/00proxy"
            owner=root group=root mode=0644
  when: apt_proxy is defined

- name: Disable use of proxy for retrieving system packages via apt
  file: path="/etc/apt/apt.conf.d/00proxy" state=absent
  when: apt_proxy is undefined

- name: Deploy pam-auth-update configuration file for enabling pam_umask
  copy: src=pam_umask dest=/usr/share/pam-configs/umask mode=0644 owner=root group=root
  notify: Update PAM configuration

- name: Set login UMASK
  lineinfile: dest=/etc/login.defs state=present backrefs=yes regexp='^UMASK(\s+)' line='UMASK\g<1>027'

- name: Set home directory mask
  lineinfile: dest=/etc/adduser.conf state=present backrefs=yes regexp='^DIR_MODE=' line='DIR_MODE=0750'

- name: Deploy bash profile configuration for fancier prompts
  template: src="bash_prompt.sh.j2" dest="/etc/profile.d/bash_prompt.sh"
            owner=root group=root mode=0644

- name: Deploy profile configuration that allows for user-specific profile.d files
  copy: src="user_profile_d.sh" dest="/etc/profile.d/z99-user_profile_d.sh"
        owner=root group=root mode=0644

- name: Replace default and skeleton bashrc
  copy: src="{{ item.key }}" dest="{{ item.value }}"
        owner=root group=root mode=0644
  with_dict:
    skel_bashrc: "/etc/skel/.bashrc"
    bashrc: "/etc/bash.bashrc"

- name: Calculate stock checksum for bashrc root account
  stat: path="/root/.bashrc"
  register: root_bashrc_stat

- name: Replace stock bashrc for root account with skeleton one
  copy: src="skel_bashrc" dest="/root/.bashrc"
        owner=root group=root mode=0640
  when: root_bashrc_stat.stat.checksum == "b737c392222ddac2271cc8d0d8cc0308d08cf458"

- name: Install sudo
  apt: name=sudo state=present

- name: Install ssl-cert package
  apt: name=ssl-cert state=present

- name: Install rcconf (workaround for systemctl broken handling of SysV)
  apt: name=rcconf state=present

- name: Install common packages
  apt: name="{{ item }}" state="present"
  with_items: "{{ common_packages }}"

- name: Set-up MariaDB mysql_config symbolic link for compatibility (workaround for Debian bug 766996)
  file: src="/usr/bin/mariadb_config" dest="/usr/bin/mysql_config" state=link
  when: "'libmariadb-client-lgpl-dev-compat' in common_packages and ansible_distribution_release == 'jessie'"

- name: Disable electric-indent-mode for Emacs by default for all users
  copy: src="01disable-electric-indent-mode.el" dest="/etc/emacs/site-start.d/01disable-electric-indent-mode.el"
        owner=root group=root mode=0644
  when: "'emacs24' in common_packages or 'emacs24-nox' in common_packages"

- name: Set-up operating system groups
  group: name="{{ item.name }}" gid="{{ item.gid | default(omit) }}" state=present
  with_items: "{{ os_groups }}"

- name: Set-up operating system user groups
  group: name="{{ item.name }}" gid="{{ item.uid | default(omit) }}" state=present
  with_items: "{{ os_users }}"

- name: Set-up operating system users
  user: name="{{ item.name }}" uid="{{ item.uid | default(omit) }}" group="{{ item.name }}"
        groups="{{ ",".join(item.additional_groups | default([])) }}" append=yes shell=/bin/bash state=present
        password="{{ item.password | default('!') }}" update_password=on_create
  with_items: "{{ os_users }}"

- name: Set-up authorised keys
  authorized_key: user="{{ item.0.name }}" key="{{ item.1 }}"
  with_subelements:
    - "{{ os_users | selectattr('authorized_keys', 'defined') | list }}"
    - authorized_keys

- name: Disable remote logins for root
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PermitRootLogin" line="PermitRootLogin no"
  notify:
    - Restart SSH

- name: Disable remote login authentication via password
  lineinfile: dest="/etc/ssh/sshd_config" state=present regexp="^PasswordAuthentication" line="PasswordAuthentication no"
  notify:
    - Restart SSH

- name: Deploy CA certificates
  copy: content="{{ item.value }}" dest="/usr/local/share/ca-certificates/{{ item.key }}.crt" mode=0644 owner=root group=root
  with_dict: "{{ ca_certificates }}"
  register: deploy_ca_certificates_result

- name: Update CA certificate cache
  command: /usr/sbin/update-ca-certificates --fresh
  when: deploy_ca_certificates_result.changed
  tags:
    # [ANSIBLE0016] Tasks that run when changed should likely be handlers
    #   CA certificate cache must be updated immediatelly in order for
    #   applications depending on deployed CA certificates can use them to
    #   validate server/client certificates.
    - skip_ansible_lint

- name: Install ferm (for firewall management)
  apt: name=ferm state=installed

- name: Configure ferm init script coniguration file
  copy: src=ferm dest=/etc/default/ferm owner=root group=root mode=0644
  notify:
    - Restart ferm

- name: Create directory for storing ferm configuration files
  file: dest="/etc/ferm/conf.d/" mode=0750 state=directory owner=root group=root

- name: Deploy main ferm configuration file
  copy: src=ferm.conf dest=/etc/ferm/ferm.conf owner=root group=root mode=0640
  notify:
    - Restart ferm

- name: Deploy ferm base rules
  template: src=00-base.conf.j2 dest=/etc/ferm/conf.d/00-base.conf
            owner=root group=root mode=0640
  notify:
    - Restart ferm

- name: Enable ferm service on boot (workaround for systemctl broken handling of SysV)
  command: rcconf -on ferm
  register: result
  changed_when: result.stderr == ""

- name: Enable ferm service
  service: name=ferm state=started

- name: Deploy script for validating server certificates
  copy: src="check_certificate.sh" dest="/usr/local/bin/check_certificate.sh"
        owner=root group=root mode=0755

- name: Set-up directory for holding configuration for certificate validation script
  file: path="/etc/check_certificate" state="directory"
        owner="root" group="root" mode="0755"

- name: Deploy crontab entry for checking certificates
  cron: name="check_certificate" cron_file="check_certificate" hour=0 minute=0 job="/usr/local/bin/check_certificate.sh expiration"
        state=present user=nobody

- name: Install apticron (for checking available upgrades)
  apt: name=apticron state=installed

# Implementation for checking pip requirements files via via pip-tools.
- name: Install virtualenv for pip requirements checks
  apt: name=virtualenv state=installed

- name: Create dedicated group for user running pip requirements checks
  group: name="pipreqcheck" gid="{{ pipreqcheck_gid | default(omit) }}" state=present

- name: Create user for running pip requirements checks
  user: name="pipreqcheck" uid="{{ pipreqcheck_uid | default(omit) }}" group="pipreqcheck"
        home="/var/lib/pipreqcheck" state=present

- name: Create directory for Python virtual environment used for installing/running pip-tools
  file: path="/var/lib/pipreqcheck/virtualenv" state=directory
        owner="pipreqcheck" group="pipreqcheck" mode="0750"

- name: Create Python virtual environment used for installing/running pip-tools
  become: yes
  become_user: "pipreqcheck"
  command: /usr/bin/virtualenv --prompt "(pipreqcheck)" "/var/lib/pipreqcheck/virtualenv" creates="/var/lib/pipreqcheck/virtualenv/bin/activate"
  tags:
    # [ANSIBLE0012] Commands should not change things if nothing needs doing
    #   Command will not run if the virtualenv has already been created,
    #   therefore the warning is a false positive.
    - skip_ansible_lint

- name: Create directory for storing pip requirements files
  file: path="/etc/pip_check_requirements_upgrades" state="directory"
        owner="root" group="pipreqcheck" mode=0750

- name: Set-up directory for storing pip requirements file for pip-tools virtual environment itself
  file: path="/etc/pip_check_requirements_upgrades/pipreqcheck" state="directory"
        owner="root" group="pipreqcheck" mode=0750

- name: Deploy .in file for pip requirements in pip-tools virtual environment
  copy: src="pipreqcheck_requirements.in" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.in"
        owner="root" group="pipreqcheck" mode=0640

- name: Deploy requirements file for pipreqcheck virtual environment
  template: src="pipreqcheck_requirements.txt.j2" dest="/etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
            owner="root" group="pipreqcheck" mode=0640

- name: Install latest pip in pip-tools virtual environment
  become: yes
  become_user: "pipreqcheck"
  pip: name="pip>=9.0.0,<10.0.0" virtualenv="~pipreqcheck/virtualenv"

- name: Install pip-tools if not present
  become: yes
  become_user: "pipreqcheck"
  pip: name=pip-tools state=present virtualenv="~pipreqcheck/virtualenv"

- name: Synchronise pip-tools virtual environment via deployed requirements file
  become: yes
  become_user: "pipreqcheck"
  shell: "source ~pipreqcheck/virtualenv/bin/activate && pip-sync /etc/pip_check_requirements_upgrades/pipreqcheck/requirements.txt"
  args:
    executable: /bin/bash
  register: pipreqcheck_pip_sync
  changed_when: "pipreqcheck_pip_sync.stdout != 'Everything up-to-date'"

- name: Deploy script for checking available upgrades
  copy: src="pip_check_requirements_upgrades.sh" dest="/usr/local/bin/pip_check_requirements_upgrades.sh"
        owner=root group=root mode=0755

- name: Deploy crontab entry for checking pip requirements
  copy: src="cron_check_pip_requirements" dest="/etc/cron.d/check_pip_requirements"
        owner="root" group="root" mode=0644

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers