#!/usr/bin/env ansible-playbook
# vim:ft=ansible:
# Webservers
---
- hosts: web1.desu.ltd
  module_defaults:
    docker_container:
      state: started
      restart_policy: unless-stopped
      pull: yes
  tasks:
    - name: ensure docker network
      docker_network: name=web
      tags: [ docker ]
    - name: include tasks for applications
      include_tasks: tasks/{{ item }}
      with_items:
        - app/gulagbot.yml
        - app/redis.yml
        - web/9iron.yml
        - web/desultd.yml
        - web/gitea.yml
        - web/nextcloud.yml
        - web/srv.yml
      tags: [ always ]
  roles:
    - role: backup
      vars:
        backup_s3backup_list_extra:
          - /app/gitea/gitea
          - /data
          - /srv/desu.ltd
        backup_s3backup_exclude_list_extra:
          - /var/lib/gitea/log
          - /data/gitea/data/gitea/log
      tags: [ backup ]
    - role: git
      vars:
        git_repos:
          - repo: https://git.desu.ltd/salt/gitea-custom
            dest: /data/gitea/data/gitea/custom
      tags: [ web, git ]
    - role: ingress
      vars:
        ingress_servers:
          # desu.ltd
          - name: desu.ltd
            proxy_pass: http://desultd:80
          - name: git.desu.ltd
            proxy_pass: http://gitea:3000
          - name: nc.desu.ltd
            directives:
              - "add_header Strict-Transport-Security \"max-age=31536000\""
              - "client_max_body_size 0"
            proxy_pass: http://nextcloud:80
            locations:
              - location: "^~ /.well-known"
                contents: |
                  location = /.well-known/carddav { return 301 /remote.php/dav/; }
                  location = /.well-known/caldav  { return 301 /remote.php/dav/; }
                  location ^~ /.well-known        { return 301 /index.php$uri; }
                  try_files $uri $uri/ =404;
          # 9iron
          - name: www.9iron.club
            directives:
              - "return 301 $scheme://9iron.club$request_uri"
          - name: 9iron.club
            proxy_pass: http://9iron:80
          - name: srv.9iron.club
            proxy_pass: http://srv:80
      tags: [ web, docker, ingress ]
- hosts: web2.desu.ltd
  module_defaults:
    docker_container:
      state: started
      restart_policy: unless-stopped
      pull: yes
  tasks:
    - name: ensure docker network
      docker_network: name=web
      tags: [ docker ]
    - name: include tasks for applications
      include_tasks: tasks/{{ item }}
      with_items:
        - app/redis.yml
        - web/peertube.yml
        - web/pleroma.yml
      tags: [ always ]
  roles:
    - role: backup
      vars:
        backup_s3backup_list_extra:
          - /data
      tags: [ backup ]
    - role: ingress
      vars:
        ingress_servers:
          - name: cowfee.moe
            proxy_pass: http://pleroma:4000
          - name: tube.cowfee.moe
            proxy_pass: http://peertube:9000
      tags: [ web, docker, ingress ]
- hosts: web3.desu.ltd
  module_defaults:
    docker_container:
      state: started
      restart_policy: unless-stopped
      pull: yes
  tasks:
    - name: ensure docker network
      docker_network: name=web
      tags: [ docker ]
    - name: include tasks for applications
      include_tasks: tasks/{{ item }}
      with_items:
        - app/redis.yml
        - web/movienight.yml
        - web/netbox.yml
        - web/nagios.yml
      tags: [ always ]
  roles:
    - role: backup
      vars:
        backup_s3backup_list_extra:
          - /data
      tags: [ backup ]
    - role: ingress
      vars:
        ingress_servers:
          - name: netbox.desu.ltd
            proxy_pass: http://netbox:8080
          - name: nagios.desu.ltd
            proxy_pass: http://nagios:80
          - name: movie.desu.ltd
            proxy_pass: http://movienight:8089
      tags: [ web, docker, ingress ]