---
- name: create configuration directory
  file:
    path: /etc/nginx/auth/whawty-sso
    state: directory

- name: generate htpasswd files for static backends
  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.auth.static', 'defined') | selectattr('value.config.auth.static.htpasswd', 'undefined') }}"
  loop_control:
    label: "{{ item.key }}"
  copy:
    content: |
      {% for user,password in lookup('vars', 'whawty_nginx_sso_login_static_credentials__'~item.key).items() %}
      {{ user }}:{{ password | password_hash('bcrypt', (user~'@whawty-nginx-sso_'~item.key) | bcrypt_salt) }}
      {% endfor %}
    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.htpasswd"
    mode: 0400

- name: make sure store backend directories exist
  loop: "{{ whawty_nginx_sso_logins | dict2items | selectattr('value.config.cookie.backend.bolt', 'defined') }}"
  loop_control:
    label: "{{ item.key }}"
  file:
    path: "{{ item.value.config.cookie.backend.bolt.path | default('/var/lib/whawty/nginx-sso/'~item.key~'.bolt') | dirname }}"
    state: directory
    mode: 0700


- name: generate configuration file
  loop: "{{ whawty_nginx_sso_logins | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  copy:
    content: |
      # ansible generated
      {% set ssoconf = item.value.config %}
      {% if 'static' in ssoconf.auth and 'htpasswd' not in ssoconf.auth.static %}
      {%   set _dummy = ssoconf.auth.static.update({'htpasswd': '/etc/nginx/auth/whawty-sso/'~item.key~'.htpasswd'}) %}
      {% endif %}
      {% if 'bolt' in ssoconf.cookie.backend and 'path' not in ssoconf.cookie.backend.bolt %}
      {%   set _dummy = ssoconf.cookie.backend.bolt.update({'path': '/var/lib/whawty/nginx-sso/'~item.key~'.bolt'}) %}
      {% endif %}
      {{ ssoconf | to_nice_yaml(indent=2) }}
    dest: "/etc/nginx/auth/whawty-sso/{{ item.key }}.yml"
    mode: 0400
  notify: restart whawty-nginx-sso

- name: make sure nginx-sso services are enabled and started
  loop: "{{ whawty_nginx_sso_logins | list }}"
  systemd:
    name: "whawty-nginx-sso@{{ item }}.service"
    daemon_reload: yes
    state: started
    enabled: yes

- name: configure vhost for whawty nginx-sso login
  loop: "{{ whawty_nginx_sso_logins | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  vars:
    nginx_vhost:
      name: "whawty-nginx-sso-{{ item.key }}"
      template: generic
      hostnames:
      - "{{ item.value.hostname }}"
      tls: "{{ item.value.tls }}"
      locations:
        '/':
          proxy_pass: "http://{{ item.value.config.web.listen }}/"
  include_role:
    name: nginx/vhost