- hosts: surveytool
  become: yes
  vars_files:
    - vars/main.yml
    - local-vars/local.yml
  roles:
    - { role: geerlingguy.mysql }
    - { role: geerlingguy.nginx }
  tasks:
    - name: Install server packages
      apt:
        pkg:
          - tomcat8
          - tomcat8-admin # needed for deploy
          - unzip # needed for deploy
          # for monitoring
          - prometheus-mysqld-exporter
          # - prometheus-nginx-exporter # (not there yet)
    - name: Setup Server Context
      template:
        src: templates/context.j2
        dest: /etc/tomcat8/context.xml
        owner: root
        group: tomcat8
        mode: '0640'
      notify: Restart Tomcat
    - name: Setup tomcat8/server.xml
      copy:
        src: templates/server.xml
        dest: /etc/tomcat8/server.xml
        owner: root
        group: tomcat8
        mode: '0640'
      notify: Restart Tomcat
    - name: Setup Server Users
      template:
        src: templates/users.j2
        dest: /etc/tomcat8/tomcat-users.xml
        owner: root
        group: tomcat8
        mode: '0640'
      notify: Restart Tomcat
    - name: Create CLDR dir
      file:
        path: /var/lib/tomcat8/cldr
        state: directory
        owner: tomcat8
        group: tomcat8
        mode: 0775
    - name: Create cldr.properties
      template:
        dest: /var/lib/tomcat8/cldr/cldr.properties
        src: templates/cldr-properties.j2
        force: no
        owner: tomcat8
        group: tomcat8
        mode: "0644"
      notify: Restart Tomcat
    - name: Checkout CLDR trunk
      git:
        repo: https://github.com/unicode-org/cldr.git
        dest: /var/lib/tomcat8/cldr/cldr-trunk
        force: no
        update: no
        version: master
        # this is deep because we will need to keep updating
        # it with history. It does not include LFS as that
        # is not needed for the surveytool.
    - name: Setup index.html
      copy:
        src: templates/index.html
        dest: /var/www/html
        owner: root
        group: root
        mode: '0644'
    - name: Setup reverse proxy
      blockinfile:
        path: /etc/nginx/sites-enabled/default
        block: |
          # proxy /cldr-apps/ to tomcat
          location /cldr-apps/ {
            rewrite ^/(.+)\._[\da-f]+_\.(js|css)$ /$1.$2 break;
            allow all;
            proxy_pass http://localhost:8080/cldr-apps/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
          }
        marker: '# {mark} ANSIBLE MANAGED BLOCK'
        insertafter: '^[\s]*server_name' # the LAST uncommented server block
      notify: 'Restart Nginx'
    - name: Setup surveytool user for deploy
      user:
        name: surveytool
        shell: /bin/bash
    - name: Give access to surveytool user
      file:
        path: /var/lib/tomcat8/cldr/cldr-trunk
        owner: surveytool
        recurse: yes
    - name: Setup surveytool auth
      authorized_key:
        user: surveytool
        key: '{{ surveytooldeploy.key }}'
    - name: Setup deploy-to-tomcat.sh
      template:
        src: templates/deploy-sh.j2
        dest: /usr/local/bin/deploy-to-tomcat.sh
        owner: root
        group: root
        mode: '0755'
    - name: ensure cldradmin group is there
      group:
        name: cldradmin
        state: present
    - name: ensure cldradmin user is there
      user:
        name: cldradmin
        comment: CLDR Admin
        groups:
          - cldradmin
        append: yes # add to the groups, do not remove
        state: present
        create_home: true
    - name: Setup /home/cldradmin/.my.cnf
      template:
        src: templates/mycnf.j2
        dest: /home/cldradmin/.my.cnf
        owner: cldradmin
        group: cldradmin
        mode: '0640'
    - name: make sure /home/cldradmin/.ssh/ exists
      file:
        path: /home/cldradmin/.ssh/
        owner: cldradmin
        group: cldradmin
        mode: '0700'
        state: directory
    - name: make sure /home/cldradmin/.ssh/authorized_keys exists
      file:
        dest: /home/cldradmin/.ssh/authorized_keys
        owner: cldradmin
        group: cldradmin
        mode: '0600'
        state: touch #https://github.com/ansible/ansible/issues/7490#issuecomment-497373505
        modification_time: preserve
        access_time: preserve
    - name: add cldradmin to sudoers
      template:
        dest: /etc/sudoers.d/55-cldradmin-users
        owner: root
        group: root
        mode: '440'
        src: templates/55-cldradmin.conf
  handlers:
    - name: Restart Tomcat
      service:
        name: tomcat8
        state: restarted
    - name: Restart Nginx
      service:
        name: nginx
        state: restarted

- hosts: all
  become: yes
  roles:
     - role: derJD.journald
       vars:
          journald_options:
            SystemMaxUse: 512M  #reduce logfile use
  tasks:
    - name: Install some packages
      apt:
        pkg:
          # these are for convenience of the user
          - mosh
          - emacs-nox
          - byobu
          # these are for monitoring
          - prometheus-node-exporter

- hosts: letsencrypt
  become: yes
  vars_files:
    - vars/main.yml
    - local-vars/local.yml
  tasks:
    - name: Install certbot packages
      apt:
        pkg:
          - python3-certbot-nginx
    - name: setup certbot
      command: >
        sudo certbot --nginx --agree-tos -m {{ certbot_admin_email }}
        -d {{ inventory_hostname }} --non-interactive
        --keep --redirect --uir --hsts --staple-ocsp --must-staple
      args:
        creates: /etc/letsencrypt/renewal/{{ inventory_hostname }}.conf

- import_playbook: backup-db-playbook.yml