#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Webservers
---
- hosts: web1.desu.ltd
  tasks:
    - name: configure nextcloud cronjob
      cron: user=www-data name=nextcloud minute=*/5 job="php -f /var/www/nc.desu.ltd/cron.php"
      tags: [ nextcloud, cron ]
  vars_files:
    - vars/apache.yml
    - vars/php-fpm.yml
    - vars/desultd-apache.yml
    - vars/desultd-certbot.yml
    - vars/desultd-nextcloud.yml
  roles:
    - role: backup
      vars:
        backup_s3backup_list_extra:
          - /var/lib/gitea
          - /var/www/nc.desu.ltd
          - /var/www/www.9iron.club/files
          - /srv/desu.ltd
        backup_s3backup_exclude_list_extra:
          - /var/lib/gitea/log
      tags: [ backup ]
    - role: motd
      vars:
        motd_watch_services_extra:
          - apache2
          - gitea
          - php7.4-fpm
      tags: [ motd ]
    - role: certbot
      tags: [ web, certbot ]
    - role: php
      tags: [ web, php ]
    - role: apache
      tags: [ web, apache ]
    - role: git
      vars:
        git_repos:
          - repo: https://git.desu.ltd/salt/desultd
            dest: /var/www/desu.ltd
          - repo: https://git.desu.ltd/salt/9iron
            dest: /var/www/www.9iron.club
          - repo: https://git.desu.ltd/salt/gitea-custom
            dest: /usr/local/bin/custom
      tags: [ web, git ]
    - role: nextcloud
      tags: [ web, nextcloud ]
    - role: gitea
      vars:
        # Look and feel
        gitea_app_name: "Git Desu"
        # Core config
        gitea_db_type: postgres
        gitea_db_host: 192.168.164.156:5432
        gitea_db_name: gitea-desultd
        gitea_db_user: gitea-desultd
        gitea_db_password: "{{ secret_gitea_db_pass }}"
        gitea_http_domain: git.desu.ltd
        gitea_oauth2_enabled: no
        gitea_repository_root: /srv/desu.ltd/git
        gitea_require_signin: no
        gitea_root_url: https://git.desu.ltd
        gitea_shell: "/bin/bash"
        gitea_ssh_domain: git.desu.ltd
        gitea_ssh_port: 22
        gitea_start_ssh: no
        gitea_user: git
      tags: [ web, gitea ]
- hosts: game1.thefuck.how
  roles:
    - role: certbot
      vars:
        certbot_admin_email: rehashedsalt@cock.li
        certbot_create_if_missing: yes
        certbot_create_method: standalone
        certbot_create_standalone_stop_services:
          - apache2
        certbot_certs:
          - domains:
              - thefuck.how
              - game1.thefuck.how
      tags: [ web, certbot ]
    - role: php
      vars:
        php_enable_php_fpm: yes
        php_memory_limit: 512M
        php_packages_extra:
          - libapache2-mod-php
          - php-intl
          - php-imagick
          - php-redis
          - php-bcmath
          - php-gmp
      tags: [ web, php ]
    - role: apache
      vars:
        apache_remove_default_vhost: yes
        apache_packages_state: latest
        apache_mods_enabled:
          - headers.load
          - http2.load
          - mpm_worker.load
          - proxy.load
          - proxy_fcgi.load
          - proxy_http.load
          - rewrite.load
          - ssl.load
        apache_mods_disabled:
          - mpm_prefork.load
          - php7.4.load
        apache_global_vhost_settings: |
          DirectoryIndex index.php index.html
          Protocols h2 http/1.1
          <FilesMatch \.php$>
            SetHandler "proxy:fcgi://127.0.0.1:9000"
          </FilesMatch>
        apache_vhosts:
          - servername: thefuck.how
            extra_parameters: |
              Redirect permanent / https://thefuck.how/
          - servername: game1.thefuck.how
            extra_parameters: |
              Redirect permanent / https://thefuck.how/
        apache_vhosts_ssl:
          - servername: thefuck.how
            documentroot: /var/www/thefuck.how
            certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
            certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
            certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
          - servername: game1.thefuck.how
            extra_parameters: |
              Redirect permanent / https://thefuck.how/
            certificate_file: /etc/letsencrypt/live/thefuck.how/fullchain.pem
            certificate_key_file: /etc/letsencrypt/live/thefuck.how/privkey.pem
            certificate_chain_file: /etc/letsencrypt/live/thefuck.how/chain.pem
      tags: [ web, apache ]
    - role: git
      vars:
        git_repos:
          - repo: https://git.desu.ltd/salt/thefuckhow
            dest: /var/www/thefuck.how
      tags: [ web, git ]