#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: Install, configure, and start Nextcloud
  block:
  - name: Install Nextcloud-required packages
    apt:
      name: "{{ packages }}"
    vars:
      packages:
      - apache2
      - mariadb-server
      - libapache2-mod-php
      - php7.2
      - php7.2-xml
      - php7.2-curl
      - php7.2-gd
      - php7.2-cgi
      - php7.2-cli
      - php7.2-zip
      - php7.2-mysql
      - php7.2-mbstring
      - python-openssl # Needed for keygen
      - python3-openssl
  - name: Copy configuration
    block:
      - name: php-apache2
        copy:
          src: php-apache2.ini
          dest: /etc/php/7.2/apache2/php.ini
          mode: 644
      - name: php-cgi
        copy:
          src: php-cgi.ini
          dest: /etc/php/7.2/cgi/php.ini
          mode: 644
  - name: Register certificates
    block:
      - name: Set up our filesystem heirarchy
        file:
          path: "{{ item.dir }}"
          mode: "{{ item.mode }}"
          recurse: yes
          state: directory
        loop:
          - { dir: "/etc/pki", mode: "0600" }
          - { dir: "/etc/pki/cert", mode: "0600" }
          - { dir: "/etc/pki/cert/crt", mode: "0600" }
          - { dir: "/etc/pki/cert/csr", mode: "0600" }
          - { dir: "/etc/pki/cert/private", mode: "0600" }
          - { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" }
      - name: Create ACME account key
        openssl_privatekey:
          path: "/etc/pki/cert/private/account.key"
          size: 4096
      - name: Create certificate key
        openssl_privatekey:
          path: "/etc/pki/cert/private/{{ website_url }}.key"
          size: 4096
      - name: Create CSR
        openssl_csr:
          path: "/etc/pki/cert/csr/{{ website_url }}.csr"
          common_name: "{{ website_url }}"
          privatekey_path: /etc/pki/cert/private/account.key
          email_address: "rehashedsalt@cock.li"
      - name: Create well-known directory
        file:
          mode: "0644"
          path: "/var/www/html/.well-known/acme-challenge"
          state: directory
      - name: Create challenge for CSR
        acme_certificate:
          acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
          acme_version: 2
          terms_agreed: yes
          account_email: "rehashedsalt@cock.li"
          account_key: "/etc/pki/cert/private/account.key"
          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
        register: com_challenge
      - name: Fulfill challenge
        copy:
          dest: "/var/www/html/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
          content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
        when: com_challenge is changed
      - name: Create certificate
        acme_certificate:
          account_key: /etc/pki/cert/private/account.key
          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
          chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
          data: "{{ com_challenge }}"
  become: yes