---
- name: Test connection
  ping:

- name: Enable EPEL
  yum:
    name: epel-release
    state: latest

- name: Update system packages
  yum:
    name: '*'
    state: latest

- name: Enable RedHat Software Collections - RHEL
  rhsm_repository:
    name: rhel-server-rhscl-7-rpms
  when: ansible_distribution == "RedHat"

- name: Enable RedHat Software Collections - CentOS
  yum:
    name: centos-release-scl
    state: latest
  when: ansible_distribution == "CentOS"

- name: Install system prerequisites
  yum:
    name: '{{ packages }}'
    state: latest
  vars:
    packages:
      - gcc
      - git
      - rh-nginx114
      - rh-python36
      - policycoreutils-python
      - python
      - python-setuptools
      - python2-cryptography

- name: (Vagrant only) Clone / update from local repo
  git:
    repo: '/vagrant'
    dest: '{{ project_dir }}'
  when: vagrant_dir.stat.exists == True

- name: (Vagrant only) Copy local settings file
  copy:
    src: '{{ settings_file | default("settings.ini") }}'
    dest: '{{ project_dir }}/settings.ini'
    owner: '{{ web_user }}'
    group: '{{ web_group }}'
    mode: 0600
  when: vagrant_dir.stat.exists == True

- name: (Vagrant only) Add DB to settings file
  ini_file:
    path: '{{ project_dir }}/settings.ini'
    section: settings
    option: DATABASE_URL
    value: 'mysql://{{ db_user }}:{{ db_pass }}@localhost:3306/{{ db_name }}'
  when: vagrant_dir.stat.exists == True

- name: Copy deploy key
  copy:
    src: 'deployment-key'
    dest: '/tmp/deployment-key'
    mode: 0600
  when: vagrant_dir.stat.exists == False

- name: Clone / update from source repo
  git:
    repo: 'git@github.com:Southampton-RSG/breccia-mapper.git'
    dest: '{{ project_dir }}'
    key_file: '/tmp/deployment-key'
    version: '{{ branch | default ("master") }}'
    accept_hostkey: yes
  when: vagrant_dir.stat.exists == False

- name: Copy and populate settings template
  template:
    src: 'settings.j2'
    dest: '{{ project_dir }}/settings.ini'
    owner: '{{ web_user }}'
    group: '{{ web_group }}'
    mode: 0600
  when: vagrant_dir.stat.exists == False

- name: Set ownership of source directory
  file:
    path: '{{ project_dir }}'
    owner: '{{ web_user }}'
    group: '{{ web_group }}'
    recurse: yes

- name: Create venv
  shell: |
    source scl_source enable rh-python36
    python3 -m venv {{ venv_dir }}

- name: Install pip requirements
  pip:
    requirements: '{{ project_dir }}/requirements.txt'
    virtualenv: '{{ venv_dir }}'

- name: Create static directory
  file:
    path: '{{ project_dir }}/static'
    state: directory
    owner: '{{ web_user }}'
    group: '{{ web_group }}'
    mode: 0755

- name: Run Django setup stages
  django_manage:
    command: '{{ item }}'
    app_path: '{{ project_dir }}'
    virtualenv: '{{ venv_dir }}'
  become_user: '{{ web_user }}'
  with_items:
    - dbbackup
    - migrate
    - collectstatic

- name: Apply SELinux type
  file:
    path: '{{ project_dir }}/static'
    state: directory
    setype: httpd_sys_content_t

- name: (Not production) Set SELinux permissive mode
  selinux_permissive:
    name: httpd_t
    permissive: yes
  when: deploy_mode > 1

- name: Install uWSGI
  shell: |
    source scl_source enable rh-python36
    pip3 install uwsgi

- name: Setup uWSGI config
  file:
    path: /etc/uwsgi/sites
    state: directory
    mode: 0755

- name: Setup uWSGI service
  template:
    src: uwsgi-service.j2
    dest: /etc/systemd/system/uwsgi.service

- name: Ensure uWSGI running
  service:
    name: uwsgi
    state: started
    enabled: yes
    daemon_reload: yes

- name: Copy web config files
  template:
    src: uwsgi-site.j2
    dest: '/etc/uwsgi/sites/{{ project_name }}.ini'

- name: Generate self-signed SSL certificate
  block:
    - name: Create directories
      file:
        path: "{{ item }}"
        state: directory
      with_items:
        - /etc/ssl
        - /etc/ssl/crt
        - /etc/ssl/private
        - /etc/ssl/csr

    - name: Create keys
      openssl_privatekey:
        path: /etc/ssl/private/{{ inventory_hostname }}.pem
        owner: '{{ web_user }}'
        group: '{{ web_user }}'

    - name: Create Certificate Signing Request (CSR)
      openssl_csr:
        path: /etc/ssl/csr/{{ inventory_hostname }}.csr
        privatekey_path: /etc/ssl/private/{{ inventory_hostname }}.pem
        common_name: "{{ inventory_hostname }}"
        owner: '{{ web_user }}'
        group: '{{ web_user }}'

    - name: Generate certificate
      openssl_certificate:
        path: /etc/ssl/crt/{{ inventory_hostname }}.crt
        privatekey_path: /etc/ssl/private/{{ inventory_hostname }}.pem
        csr_path: /etc/ssl/csr/{{ inventory_hostname }}.csr
        provider: selfsigned
        owner: '{{ web_user }}'
        group: '{{ web_user }}'

    - name: Copy Nginx site
      template:
        src: nginx-site-ssl.j2
        dest: '/etc/opt/rh/rh-nginx114/nginx/conf.d/{{ project_name }}-ssl.conf'
        owner: '{{ web_user }}'
        group: '{{ web_group }}'

  when: deploy_mode > 1

- name: Copy Nginx site
  template:
    src: nginx-site.j2
    dest: '/etc/opt/rh/rh-nginx114/nginx/conf.d/{{ project_name }}.conf'
    owner: '{{ web_user }}'
    group: '{{ web_group }}'

- name: Restart uWSGI and Nginx
  service:
    name: "{{ item }}"
    state: restarted
    enabled: yes
    daemon_reload: yes
  with_items:
    - uwsgi
    - rh-nginx114-nginx

- name: Populate service facts
  service_facts:

- name: Open webserver ports on firewall
  firewalld:
    service: '{{ item }}'
    state: enabled
    permanent: yes
    immediate: yes
  loop:
    - ssh
    - http
    - https
  when: ansible_facts.services['firewalld.service'] is defined and ansible_facts.services['firewalld.service'].state == 'running'