---

# caveats: ufw will mess with this. the default nginx vhost in sites-enabled
# may mess with this. the server_name causes a 502 error unless DNS is set up.
# cgit has not been extensively tested

- hosts: nategb
  become: true
  vars:
   sudoers:
    - n8
  tasks:

   - name: Install updates (apt)
     ansible.builtin.apt:
      name: "*"
      state: latest
      update_cache: yes
     when:
      - ansible_os_family == "Debian"

   - name: apt install nginx, etc.
     tags: nategb
     apt:
      name:
       - git
       - tmux
       - tor
       - rsync
       - neovim
       - nginx
       - cgit
       - fcgiwrap
       - python3-certbot-nginx
      update_cache: yes
     when: ansible_os_family == "Debian"

   - name: gather package facts
     tags: nategb
     package_facts:
      manager: apt
     when: ansible_os_family == "Debian"

   - name: install sudo if not already installed
     tags: nategb
     apt:
      name:
       - sudo
      update_cache: yes
     when: "'sudo' not in ansible_facts.packages"

   - name: Make sure 'sudo' group exists
     group:
      name: sudo
      state: present

   - name: Allow 'sudo' group to use sudo
     tags: nategb, sudo
     lineinfile:
      dest: /etc/sudoers
      state: present
      regexp: '^%sudo'
      line: '%sudo ALL=(ALL) ALL'
      validate: 'visudo -cf %s'
     when: "'sudo' in ansible_facts.packages"

   - name: add users
     tags: nategb
     user:
      name: "{{ item }}"
      groups: sudo
      append: yes
     with_items: "{{ sudoers }}"

   - name: add ssh keys to users
     tags: nategb
     authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', '/home/n8/.ssh/id_ed25519.pub') }}"
     with_items: "{{ sudoers }}"


   - name: secure sshd
     lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      state: present
      validate: 'sshd -T -f %s'
     with_items:
      - regexp: "^PasswordAuthentication"
        line: "PasswordAuthentication no"
      - regexp: "^PermitRootLogin"
        line: "PermitRootLogin prohibit-password"

   - name: copy nategb.conf to nginx on server
     tags: nginx, nategb
     copy:
      src: files/conf.d/nategb.conf
      dest: /etc/nginx/sites-available/nategb.conf
      owner: root
      group: root
      mode: 0644

   - name: copy cgit.conf to nginx on server
     tags: nginx, nategb
     copy:
      src: files/conf.d/cgit.conf.debian
      dest: /etc/nginx/sites-available/cgit.conf
      owner: root
      group: root
      mode: 0644

   - name: copy cgitrc to server
     tags: nginx, cgit, nategb
     copy:
      src: files/etc/cgitrc.debian
      dest: /etc/cgitrc
      owner: root
      group: root
      mode: 0644

   - name: create /var/www/nategb
     tags: nginx, nategb
     file:
      path: /var/www/nategb
      state: directory
      mode: 0755


   - name: copy web files
     synchronize:
      src: files/nategb-root/
      dest: /var/www/nategb
      rsync_opts:
       - "-r"
       - "-d"
       - "-v"
       - "-l"
       - "-P"
       - "--delete"

# https://badzilla.co.uk/ansible-tasks-create-symbolic-links-nginx-apache-sites-enabled-directory
   - name: Apply symlinks in sites-enabled
     file:
      dest: /etc/nginx/sites-enabled/{{ item }}
      src: /etc/nginx/sites-available/{{ item }}
      state: link
      force: yes
     with_items:
     - nategb.conf
     - cgit.conf

   - name: start nginx service
     tags: nginx, nategb
     service:
      name: nginx
      enabled: yes
      state: started

   - name: reload nginx service
     tags: nginx, nategb
     service:
      name: nginx
      state: reloaded

   - name: start fcgiwrap service
     tags: nategb
     service:
      name: fcgiwrap
      enabled: yes
      state: started

   - name: start fcgiwrap socket
     tags: nategb
     service:
      name: fcgiwrap.socket
      enabled: yes
      state: started