---

- hosts: webservers
  tasks:
    - name: Basic setup
      include_role: name=common

    - name: Setup logs.afpy.org
      include_role: name=nginx
      vars:
        nginx_owner: logs-afpy-org
        nginx_domain: logs.afpy.org
        nginx_certificates: [logs.afpy.org]
        nginx_public_deploy_key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8BxBkDeX8exqUzvU813yOUx7mu1Ax5cfntFJo8a80CZ4m/jKNXwqd5eW7Vp6hVNvKuKcb58SgUzQ/Yl2AaMqF2KMD+aAwSYaqtJCFVYG+zjpGhQuxvQVKb9Pvdu9clpRHAYUw9bD/GG2YLdaryLqr54XCF6h/bCc6gHcj/UhByoQJwCbkBTCvCzHHEOe+Je2RAQc5nDWACXffO1LduHtjDvRH5wpnfubYy96fLfwFhFNNvci4vRxKA0JTFlU5URds5Y+Uk5pH+yRzN3DBZhdXTg5w2Ox9d+Xd5NxpInMiHJzI+Ldax7DolYXEFx5ZT+gSOo3VOzvo6fjHYEp2LALOQ== gawel@boiboite"
        nginx_conf: |
          server
          {
              listen [::]:80; listen 80;
              server_name logs.afpy.org;
              return 301 https://$host$request_uri;
          }

          server
          {
              listen [::]:443 ssl http2; listen 443 ssl http2;
              server_name logs.afpy.org;
              include snippets/letsencrypt-logs.afpy.org.conf;
              add_header Content-Security-Policy "default-src 'none'; style-src 'self'; script-src 'self';";
              add_header X-Content-Type-Options "nosniff";
              add_header X-Frame-Options DENY;

              location /
              {
                  include proxy_params;
                  proxy_pass http://unix:/run/logs-afpy-org/website.sock;
              }
          }

    - name: Logs are written by alain
      file:
        path: /var/www/logs.afpy.org/
        owner: alain
        mode: 0755
        state: directory

    - name: logs-afpy-org user can reload own website
      lineinfile:
        path: /etc/sudoers
        state: present
        regexp: '^logs-afpy-org '
        line: "logs-afpy-org ALL = NOPASSWD: /bin/systemctl restart logs-afpy-org.service"
        validate: /usr/sbin/visudo -cf %s

    - name: Initial clone
      become: true
      become_user: logs-afpy-org
      git:
        repo: https://git.afpy.org/AFPy/AfpyLogs/
        dest: /home/logs-afpy-org/src/
        update: yes

    - name: Setup or upgrade venv
      become: true
      become_user: logs-afpy-org
      command: python3 -m venv --upgrade-deps /home/logs-afpy-org/venv/
      changed_when: False

    - name: pip install logs.afpy.org website
      become: true
      become_user: logs-afpy-org
      pip:
        requirements: /home/logs-afpy-org/src/requirements.txt
        virtualenv_command: /usr/bin/python3 -m venv
        virtualenv: "/home/logs-afpy-org/venv/"

    - name: Configure afpy logs server
      copy:
        dest: /home/logs-afpy-org/src/config-production.py
        content: |
          SECRET_KEY = "Currently unused

          JINJA_ENV = {
              "TRIM_BLOCKS": True,
              "LSTRIP_BLOCKS": True,
          }

          LOG_PATH = "/var/www/logs.afpy.org/"

          # IRSSI log pattern:
          DATE_FORMAT = "(\d+-\d+-\d+ )?(?P<time>\d\d:\d\d)"
          LOG_PATTERN = r"^%s\s+[<*]\s*(?P<nick>[^> ]+)[> ]\s+(?P<message>.*)$" % DATE_FORMAT

          BOLD_PATTERN = r"\*[^*\s]+\*"
          BOLD_HTML = "<b>{text}</b>"
      notify: logs-afpy-org.service

    - name: systemd logs.afpy.org service
      copy:
        dest: /etc/systemd/system/logs-afpy-org.service
        content: |
          [Unit]
          Description=IRC Logs website
          After=network.target

          [Service]
          PIDFile=/run/logs-afpy-org/website.pid
          User=logs-afpy-org
          Group=logs-afpy-org
          RuntimeDirectory=logs-afpy-org
          WorkingDirectory=/home/logs-afpy-org/src/
          ExecStart=/home/logs-afpy-org/venv/bin/gunicorn -w 2 \
                    --pid /run/logs-afpy-org/website.pid \
                    --bind unix:/run/logs-afpy-org/website.sock \
                    app
          ExecReload=/bin/kill -s HUP $MAINPID
          ExecStop=/bin/kill -s TERM $MAINPID
          PrivateTmp=true

          [Install]
          WantedBy=multi-user.target

    - service: name=logs-afpy-org state=started enabled=yes

  handlers:
    - name: reload nginx
      service: name=nginx state=reloaded

    - name: logs-afpy-org.service
      systemd:
        name: logs-afpy-org.service
        state: restarted
        daemon_reload: yes