---
- name: Basic Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: core/ntp

- name: Payload Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/spreadspace
  - role: nginx/base
  - role: monitoring/prometheus/exporter
  - role: x509/static-ca/base
  - role: x509/acmetool/base
  - role: whawty/auth/store
  - role: nginx/auth/whawty-sso/base
  - role: nginx/auth/whawty-sso/login
  - role: apps/publish/base
  post_tasks:
  #### web.chaos-at-home.org (default-server)
  - name: create directory for default server
    file:
      path: /var/www/default
      state: directory

  - name: copy chaos-at-home logo file
    copy:
      src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
      dest: /var/www/default/logo.jpg

  - name: install index.html for default server
    copy:
      dest: /var/www/default/index.html
      content: |
        <html>
          <head>
            <title>No Such Site</title>
          </head>
          <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
            <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
              <img src="logo.jpg" alt="chaos@home Logo" />
              <h2 style="">You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.</h2>
            </div>
          </body>
        </html>

  - name: configure default vhost web.chaos-at-home.org
    vars:
      nginx_vhost:
        default: yes
        name: web
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - web.chaos-at-home.org
        locations:
          '/':
            root: /var/www/default
            index: index.html
    include_role:
      name: nginx/vhost


  #### webmail.chaos-at-home.org and webdav.chaos-at-home.org
  - name: create directory for prometheus-old ca cert
    file:
      path: /etc/ssl/prometheus-old-ca
      state: directory

  - name: install prometheus-old ca cert
    copy:
      dest: /etc/ssl/prometheus-old-ca/ca.pem
      content: |
        -----BEGIN CERTIFICATE-----
        MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
        BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
        YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
        b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
        ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
        VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
        cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
        b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
        AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
        wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
        HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
        arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
        YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
        7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
        9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
        zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
        9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
        zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
        +GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
        YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
        HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
        FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
        +hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
        X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
        gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
        XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
        iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
        zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
        MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
        oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
        zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
        ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
        -----END CERTIFICATE-----

  - name: configure vhost for webmail.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webmail
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - webmail.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
              protocols: TLSv1
              ciphers: "DEFAULT@SECLEVEL=0"
            extra_directives: |-
              client_max_body_size 200M;
    include_role:
      name: nginx/vhost

  - name: configure vhost for webdav.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webdav
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - webdav.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
              protocols: TLSv1
              ciphers: "DEFAULT@SECLEVEL=0"
    include_role:
      name: nginx/vhost


  #### imap.chaos-at-home.org
  - name: configure vhost for imap.chaos-at-home.org
    vars:
      nginx_vhost:
        name: imap
        template: generic
        hostnames:
        - imap.chaos-at-home.org
        locations:
          '/.well-known/acme-challenge/':
            proxy_pass: "http://{{ network_services.imap.addr }}"
          '/':
            return: "303 https://webmail.chaos-at-home.org"
    include_role:
      name: nginx/vhost


  ### Service IP
  - name: install systemd service unit for service-ip
    copy:
      dest: /etc/systemd/system/http-service-ip.service
      content: |
        [Unit]
        Description=Assign HTTP Sevice IP
        After=network.target

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
    register: service_ip_systemd_unit

  - name: make sure service-ip systemd unit is enabeld and started
    systemd:
      daemon_reload: yes
      name: http-service-ip.service
      state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
      enabled: yes