---
- name: Basic Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/base
  - role: core/base
  - role: core/sshd/base
  - role: core/zsh
  - role: core/ntp

- name: Payload Setup
  hosts: ch-http-proxy
  roles:
  - role: apt-repo/spreadspace
  - role: monitoring/prometheus/exporter
  - role: x509/acmetool/base
  - role: nginx/base
  - role: nginx/auth/whawty-sso/base
  - role: nginx/auth/whawty-sso/login
  - role: apps/publish/base
  post_tasks:
  #### web.chaos-at-home.org (default-server)
  - name: create directory for default server
    file:
      path: /var/www/default
      state: directory

  - name: copy chaos-at-home logo file
    copy:
      src: "{{ global_files_dir }}/chaos-at-home/logo.jpg"
      dest: /var/www/default/logo.jpg

  - name: install index.html for default server
    copy:
      dest: /var/www/default/index.html
      content: |
        <html>
          <head>
            <title>No Such Site</title>
          </head>
          <body style="font-family: Helvetica, Arial, Sans-Serif; color: white; background: black;">
            <div style="text-align: center; margin-top: 4em; margin-left:auto; margin-right:auto;">
              <img src="logo.jpg" alt="chaos@home Logo" />
              <h2 style="">You have reached the chaos@home internal webserver, however the URL that you used is unknown to this host.</h2>
            </div>
          </body>
        </html>

  - name: configure default vhost web.chaos-at-home.org
    vars:
      nginx_vhost:
        default: yes
        name: web
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - web.chaos-at-home.org
        locations:
          '/':
            root: /var/www/default
            index: index.html
    include_role:
      name: nginx/vhost


  #### passwd.chaos-at-home.org
  - name: create directory for whawty auth ca cert
    file:
      path: /etc/ssl/whawty-auth-ca
      state: directory

  - name: install whawty auth ca cert
    copy:
      dest: /etc/ssl/whawty-auth-ca/ca.pem
      content: |
        -----BEGIN CERTIFICATE-----
        MIIF3jCCA8agAwIBAgIUQLP44rt/4d91qIT8oOVKMb3+WVQwDQYJKoZIhvcNAQEN
        BQAwgYYxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
        YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFDASBgNVBAsTC3doYXd0eS1hdXRo
        MSkwJwYDVQQDEyBjaGFvcy1hdC1ob21lIENBIGZvciB3aGF3dHktYXV0aDAeFw0y
        MDA4MjgxOTQzMDBaFw0yNTA4MjcxOTQzMDBaMIGGMQswCQYDVQQGEwJBVDEPMA0G
        A1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFvcy1hdC1o
        b21lMRQwEgYDVQQLEwt3aGF3dHktYXV0aDEpMCcGA1UEAxMgY2hhb3MtYXQtaG9t
        ZSBDQSBmb3Igd2hhd3R5LWF1dGgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
        AoICAQCyoleHLYcu2vBbwa3OuukNHKWKrdohAJPPOc5rRTNv2ENiTn1U3Mmuo2Sk
        1DODyQCsuFS92wWNq7T+aFKoHt1VlUkT73ytVduCdu06j6N7I8CUqFBMKvs2e7iO
        mjV8ur7F/0LpSvF812aqOEHqGKjjsaHGy8TMb9OnxtcvU4Icit7jnTDspIec8rQY
        dfo4tHtYNvwmyiLk3nTorpFMREmyDRYNijtYy+RO+dN+8/Cg5GmiAVBPLHu0DyGA
        VtRmZsKKWXCPloWNwdalKDfn8ZRP7zzurkAAtQMvYMJiTxucRfnvkeT1AK+mWVuJ
        REpFOFNJtrdismIPaeQ0VwgJEOXmFCsOTJpksVbOoFK9HSDliNOVIIpbDxp7Pm5I
        RIpw1f3RBEejrg7tqOM+tn7In1s783sPNqMFf7WDyl2wNaAoAQvmY+BL4jS/HTOj
        KiAWEoU2ncPlL5VnWDkH2npSD3lGuSXUiIikL5MGPjwOjYICW5dKLtLzbC7ElODI
        GWCzZRHFMewgBGsOfcLQjOYlwwtMWbkZ5OTXYAUDhW5k3WXav+7fHcV5Ydp+OLAH
        mVkn3EiIWySuMdGp9eEFoxAQeJLnX1/gc30cWSh20VxUmE2HpgCW9UliCeUrRFFE
        cI+cWdzmVNkOr6MyeGOA8dTThBrRW5kFBnrQTTd8fyGCds5uyQIDAQABo0IwQDAO
        BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUFFTxZcX0
        E66DaRMRikHxfMfCf9AwDQYJKoZIhvcNAQENBQADggIBAJh4CyhxoQfWhyfpnbgh
        yDjvtC9gHo3mGHUBjc4QOaAC0MQocEbk5+FCmV0cMzqJ7fWNCckXs+mV08GFqNxv
        MzzyfLQuOc5WNnr7uLTQ/PCsjQ5ohzE40WKugfABiZhG49R1nWky5aM31LfhJ2Am
        VqJhz8b50YC3aq1R2P0nJ7zLAZzfIpb3fgeLsENV9fxNDA5xLCTsqkdjTpZ79MZy
        Ud3W02KZY0izd95gkvaWp8uCSTagYNBlMTIYLdEBnUIHlSGca5dXVACtuWBE3v3N
        DcomliXUpHcCun9pzsgBjN1OpR9PN/FOXFHbiM734CHl6ddsWDFmpQC4mzA/QPNb
        CZtfslr1WvWOTd8N+ksph68v7xFbIalYOfJf+f8VjunU7Kxgl6oQ/7m8GGnQ8Ah7
        JUCeiEeOZuN6C4yRArYD55AG/5NcrwVJzJ2q/K3B8YlXIpuQVNEOUbyT97deD+cC
        c+1HymHgT6RGVeU8W1M7JNv9Qwzo41Um1LVWk8c2mXuyq76E58XaC3aL/K6i5VfP
        /04Dx9VVnGu2nUoCmryWgh+Pa3M20GWdG85cAb4b3srf7KoeaOeWzv5QqIj1tcJs
        EdaZIyg65dC5dMuuQ0geCEoTaBjOWUiTzBGgvFXkdVHSfyBh+BRbTHMnIuPIwe+c
        y8wejeuvOelX6YEzJpnebARk
        -----END CERTIFICATE-----

  - name: configure vhost for passwd.chaos-at-home.org
    vars:
      nginx_vhost:
        name: passwd
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - passwd.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.svc.prefix | ansible.utils.ipaddr(network_zones.svc.offsets['ch-auth-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/whawty-auth-ca/ca.pem
    include_role:
      name: nginx/vhost


  #### webmail.chaos-at-home.org and webdav.chaos-at-home.org
  - name: create directory for prometheus-old ca cert
    file:
      path: /etc/ssl/prometheus-old-ca
      state: directory

  - name: install prometheus-old ca cert
    copy:
      dest: /etc/ssl/prometheus-old-ca/ca.pem
      content: |
        -----BEGIN CERTIFICATE-----
        MIIF6jCCA9KgAwIBAgIUXDQZo0d3tcTa4oilKki+E9md8GIwDQYJKoZIhvcNAQEN
        BQAwgYwxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZTdHlyaWExDTALBgNVBAcTBEdy
        YXoxFjAUBgNVBAoTDWNoYW9zLWF0LWhvbWUxFzAVBgNVBAsTDnByb21ldGhldXMt
        b2xkMSwwKgYDVQQDEyNjaGFvcy1hdC1ob21lIENBIGZvciBwcm9tZXRoZXVzLW9s
        ZDAeFw0yMDA4MjgyMTMwMDBaFw0yNTA4MjcyMTMwMDBaMIGMMQswCQYDVQQGEwJB
        VDEPMA0GA1UECBMGU3R5cmlhMQ0wCwYDVQQHEwRHcmF6MRYwFAYDVQQKEw1jaGFv
        cy1hdC1ob21lMRcwFQYDVQQLEw5wcm9tZXRoZXVzLW9sZDEsMCoGA1UEAxMjY2hh
        b3MtYXQtaG9tZSBDQSBmb3IgcHJvbWV0aGV1cy1vbGQwggIiMA0GCSqGSIb3DQEB
        AQUAA4ICDwAwggIKAoICAQDS1hSM5E7mhsv1c3S+cPmjxWAFz8N9xqSGk4JjRNxR
        wsM7o2aS18FZus+w/Ikp3sTfyNiK017lrnD1iwkTV+yHV9FFNq5FC7Jry3kZcjhH
        HirmRFJhXvsimsK6Ir/9ZuQ1EqhRv7HEnnG1W19UyQuk0VpTfcis4jNtMOuEcqG2
        arXah/8OOKpcsvIK03XWpLjw0UzNhemka66BC1W+Sg0iB3PmYOSUjJfxSulfZYN8
        YAP8QPhXCCrOw39EKiW4KcGnKhNQD8lulpk8kCZlr0Hd8bgxBzrQ+bDhMGEkbxnS
        7VaSSTLZIKUWT/4IzCMOrLFbL0k7e0DcOL0+D9lgGjqgDSKKxOi7U3BavilTRJvU
        9mq1B+7qrYrx3UfELNgYjUhF575iJmRRH+XKf4b/LGqyrAymRPpwnrubg7KUwGPa
        zScuGI4QakOVc5/zU6XML9msyz7p2IXmKqkAi/cxrH6VLK49r63Q8OPbLp17vaDp
        9TJaMyQ2QQDVaBulEfwIb1vSKiG+e+8frlXKBf7rtVbZxTda3VmUMFw56hbnT1vn
        zvnWwbTWj2in4BhCMbjyvA+HgPd5CAvXkQff4rX5+quLa6hqP/GbslDxtceDSrN0
        +GLRcFbBwxFSJhPmAyspUBDgKI6TaBwsaQIp54UF4wtmPOSmx7iRkYWELh7Jrfib
        YQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
        HQ4EFgQUTSq7rSadFGLpZQMEOpI9Mt6ViM0wDQYJKoZIhvcNAQENBQADggIBAKeZ
        FH+eabDb1JU41hIYrboPbL3N6G8IW9VxfAIQ/W3jYEHz+gLf7CAOZIqbZCrexajs
        +hqamNAZ+eXQ+9o9IcGXHx5ifDDWLDVl0i/7qQ1cl+oXQ4Ua6jSN/I1UghPkV+Pt
        X3Rptl+HLGtTjUcP8Sd78ugBnhM1T8oB9i/xkP9idP7H95C/JKnBER+uH8u67LVe
        gYRZS6R+tI3vX1CrjdI0zps0TDWU9sixsu2BF8HHc6AJ6t+1oAVtvpNQcwl1Kll5
        XtSUp+rdc5SHQ2Omq+S4WZ8nW88IrT+VG6WflYvg2F1Wzk9D1KYcAl1vox/nqKg5
        iqy0BlygrwTLJGS1uNSbIPTHFPgIX7VVQc+u3TLwqFaexXwG5382jD3n4uAr65SM
        zP2O8JWZMukdWSP2cAFkKCNUCpYNiA0cyCtdtNw+vWqXXFdc0uvnILROB/dQ6RJA
        MviUhGFMdtcoW/bMXDlpJTVFQhhFwJmMatvPIAq9Z+OkvV+T/y87NfE/KUDKB+Hy
        oFx9xgax8wsZUNEZMyDMVGcV1oLn1/dsKhHShYVQsDoJcc1egkL+Di8TtT7SwNxg
        zT1Rzi1tmVUMLM+CeyP1bbf4YPrH4ulk1Evj2ZHzF6hwKxavvm8hHidmd82FVcik
        ePVA2hh60RUIGEAKyJS23SWUdaFe5+hxxYFQ3qAB
        -----END CERTIFICATE-----

  - name: configure vhost for webmail.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webmail
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - webmail.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
              protocols: TLSv1
              ciphers: "DEFAULT@SECLEVEL=0"
            extra_directives: |-
              client_max_body_size 200M;
    include_role:
      name: nginx/vhost

  - name: configure vhost for webdav.chaos-at-home.org
    vars:
      nginx_vhost:
        name: webdav
        template: generic
        tls:
          certificate_provider: acmetool
          certificate_config:
            request:
              challenge:
                http-self-test: false
        hostnames:
        - webdav.chaos-at-home.org
        locations:
          '/':
            proxy_pass: "https://{{ network_zones.lan.prefix | ansible.utils.ipaddr(network_zones.lan.offsets['ch-prometheus-legacy']) | ansible.utils.ipaddr('address') }}/"
            proxy_ssl:
              verify: "on"
              trusted_certificate: /etc/ssl/prometheus-old-ca/ca.pem
              protocols: TLSv1
              ciphers: "DEFAULT@SECLEVEL=0"
    include_role:
      name: nginx/vhost


  #### imap.chaos-at-home.org
  - name: configure vhost for imap.chaos-at-home.org
    vars:
      nginx_vhost:
        name: imap
        content: |
          server {
            listen 80;
            listen [::]:80;
            server_name imap.chaos-at-home.org;

            location /.well-known/acme-challenge/ {
              proxy_pass http://{{ network_services.imap.addr }};
            }

            location / {
              return 303 https://webmail.chaos-at-home.org;
            }
          }
    include_role:
      name: nginx/vhost


  ### Service IP
  - name: install systemd service unit for service-ip
    copy:
      dest: /etc/systemd/system/http-service-ip.service
      content: |
        [Unit]
        Description=Assign HTTP Sevice IP
        After=network.target

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/ip addr add dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        ExecStop=/usr/sbin/ip addr del dev {{ network.primary.name }} {{ network_services.http.addr }}/32
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
    register: service_ip_systemd_unit

  - name: make sure service-ip systemd unit is enabeld and started
    systemd:
      daemon_reload: yes
      name: http-service-ip.service
      state: "{{ (service_ip_systemd_unit is changed) | ternary('restarted', 'started') }}"
      enabled: yes