---
- hosts: krypton.n39.eu
  become: true

  vars:
    ansible_python_interpreter: /usr/bin/python3

    data_dir: "/srv/data"

    docker_ip_ranges: ["172.16.0.0/12", "192.168.0.0/16"]

    openldap_image_version: 1.5.0
    openldap_data: "{{ data_dir }}/openldap"
    openldap_domain: "ldap.n39.eu"
    ldap_domain: "netz39.de"
    ldap_org: "Netz39 e.V."
    ldap_base_dn: "dc=netz39,dc=de"

    entities_validation_svc_host_port: 9001


  roles:
    - role: docker_setup
      vars:
        docker_data_root: "/srv/docker"
    - role: apache
    - role: apache_letsencrypt  # Uses configuration from dehydrated setup
    - role: ansible-role-dehydrated
      vars:
        dehydrated_contact_email: "{{ server_admin }}"
        dehydrated_domains:
          - name: entities-validation.svc.n39.eu
    - role: penguineer.dehydrated_cron

  tasks:

    # - name: Setup dehydrated challenge endpoint for {{ openldap_domain }}
    #   include_role:
    #     name: setup-http-dehydrated
    #   vars:
    #     site_name: "{{ openldap_domain }}"

    - name: Ensure openLDAP directories are present.
      file:
        path: "{{ item.path }}"
        mode: "0755"
        state: directory
      with_items:
        - path: "{{ openldap_data }}/ldap"
        - path: "{{ openldap_data }}/slapd"
        - path: "{{ openldap_data }}/ldif"
        - path: "{{ dehydrated_certs_dir }}/{{ openldap_domain }}"

    - name: Ensure container for openLDAP is running.
      docker_container:
        name: openLDAP
        image: "osixia/openldap:{{ openldap_image_version }}"
        detach: yes
        state: started
        restart_policy: unless-stopped
        container_default_behavior: no_defaults
        pull: true
        env:
          TZ: "{{ timezone }}"
          LDAP_LOG_LEVEL: "256"
          LDAP_ORGANISATION: "{{ ldap_org }}"
          LDAP_DOMAIN: "{{ ldap_domain }}"
          LDAP_BASE_DN: "{{ ldap_base_dn }}"
          LDAP_READONLY_USER: "false"

          LDAP_ADMIN_PASSWORD: "{{ ldap_admin_password }}"
#          LDAP_CONFIG_PASSWORD: "{{ ldap_config_password }}"

          LDAP_RFC2307BIS_SCHEMA: "true"

          LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"

          LDAP_REPLICATION: "no"

          KEEP_EXISTING_CONFIG: "false"
          LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
        published_ports:
          - "389:389"   # unencrypted/STARTTLS
          - "636:636"   # SSL
        volumes:
          - "{{ openldap_data }}/ldap:/var/lib/ldap"
          - "{{ openldap_data }}/slapd:/etc/ldap/slapd.d"
          - "{{ dehydrated_certs_dir }}/{{ openldap_domain }}:/container/service/slapd/assets/certs"
          - "{{ openldap_data }}/ldif/custom-element.ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom/01_netz39.ldif"
        timeout: 500
        command: "--copy-service --loglevel debug"

    - name: Ensure UFW is installed
      ansible.builtin.package:
        name: ufw
        state: present

    - name: Allow access to openLDAP from local docker container [1/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '389'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"

    - name: Allow access to openLDAP from local docker container [2/2]
      become: true
      community.general.ufw:
        rule: allow
        port: '636'
        proto: tcp
        from: "{{  item  }}"
        comment: LDAP Docker Access
      loop: "{{  docker_ip_ranges  }}"


    - name: Ensure container for entities validation service is running
      docker_container:
        name: entities_validation_svc
        image: netz39/entities_validation_svc:v1.0.0
        pull: true
        state: started
        detach: yes
        ports:
          - "127.0.0.1:{{ entities_validation_svc_host_port }}:8080"
        restart_policy: unless-stopped
        env:
          TZ: "{{ timezone }}"

    - name: Setup proxy site entities-validation.svc.n39.eu
      include_role:
        name: setup_http_site_proxy
      vars:
        site_name: entities-validation.svc.n39.eu
        proxy_port: "{{ entities_validation_svc_host_port }}"

  handlers: