---
# tasklist for setting up fedmsg
# This is the base set of files needed for fedmsg

- name: Install needed packages
  ansible.builtin.package:
    state: present
    name:
    - libsemanage-python
    - python-psutil
  tags:
  - packages
  - fedmsg/base
  when: ansible_distribution_major_version|int < 8

- name: Install python2 fedmsg package
  ansible.builtin.package: name=fedmsg state=present
  when: "'python34_fedmsg' not in group_names and ansible_distribution_major_version|int < 22"
  tags: fedmsg/base

- name: Install python2 fedmsg package
  dnf: pkg=fedmsg state=present
  when: "'python34_fedmsg' not in group_names and ansible_distribution_major_version|int > 21"
  tags: fedmsg/base

- name: Install the python34 fedmsg package (yum)
  ansible.builtin.package: name=python34-fedmsg-core state=present
  when: "'python34_fedmsg' in group_names and ansible_distribution_major_version|int < 22"
  tags: fedmsg/base

- name: Install the python3 fedmsg package (dnf)
  dnf: pkg=python3-fedmsg state=present
  when: "'python34_fedmsg' in group_names and ansible_distribution_major_version|int > 21"
  tags: fedmsg/base

- name: Install needed packages
  dnf:
    name: ['libsemanage-python', 'python-psutil']
    state: present
  tags:
  - packages
  - fedmsg/base
  when: ansible_distribution_major_version|int < 31 and ansible_distribution == 'Fedora'

- name: Setup /etc/fedmsg.d directory
  ansible.builtin.file: path=/etc/fedmsg.d owner=root group=root mode=0755 state=directory
  tags:
  - config
  - fedmsg/base

- name: Remove any old static endpoints files
  ansible.builtin.file: dest="/etc/fedmsg.d/{{item}}" state=absent
  with_items:
  - endpoints-bodhi.py
  - endpoints-elections.py
  - endpoints-external-composer.py
  - endpoints-github2fedmsg.py
  - endpoints-kerneltest.py
  - pkgdb.py
  tags:
  - config
  - fedmsgdconfig
  - fedmsg/base

# Any files that change need to restart any services that depend on them.  A
# trick here is that some hosts have an httpd that uses fedmsg, while others do
# not.  Some hosts have a fedmsg-hub that uses this config, while others do not.
# Our handlers in handlers/restart_services.yml are smart enough to
# *conditionally* restart these services, only if they are installed on the
# system.
- name: Setup basic /etc/fedmsg.d/ contents for internal hosts
  ansible.builtin.template: >
    src="{{ item }}.j2"
    dest="/etc/fedmsg.d/{{ item }}"
    owner=root
    group=root
    mode=0644
  with_items:
  - ssl.py
  - endpoints.py
  - endpoints-anitya.py
  - endpoints-fedbadges.py
  - endpoints-hotness.py
  - endpoints-mailman.py
  - endpoints-fedimg.py
  - endpoints-bugzilla2fedmsg.py
  - relay.py
  - logging.py
  - base.py
  when: "'persistent_cloud' not in group_names"
  tags:
  - config
  - fedmsgdconfig
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Dynamically generate policy from group/host vars.
  ansible.builtin.template: >
    src="{{ item }}.j2"
    dest="/etc/fedmsg.d/{{ item }}"
    owner=root
    group=root
    mode=0644
  with_items:
  - policy.py
  when: "'persistent_cloud' not in group_names"
  tags:
  - config
  - fedmsgdconfig
  - fedmsgdpolicy
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Setup basic /etc/fedmsg.d/ contents for firewalled/external hosts
  ansible.builtin.template: >
    src="{{ item }}.j2"
    dest="/etc/fedmsg.d/{{ item }}"
    owner=root
    group=root
    mode=0644
  with_items:
  - ssl.py
  - relay.py
  - logging.py
  - base.py
  when: "'persistent_cloud' in group_names"
  tags:
  - config
  - fedmsgdconfig
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Install fedmsg-relay in case we're in debug mode.
  ansible.builtin.package: name=fedmsg-relay state=present
  when: fedmsg_debug_loopback == true and ansible_distribution_major_version|int < 22
  tags:
  - fedmsg_loopback
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Install fedmsg-relay in case we're in debug mode.
  dnf: name=fedmsg-relay state=present
  when: fedmsg_debug_loopback == true and ansible_distribution_major_version|int > 21
  tags:
  - fedmsg_loopback
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Destroy standard config to make way for debug loopback.
  ansible.builtin.file: dest=/etc/fedmsg.d/{{item}} state=absent
  with_items:
  - relay.py
  - policy.py
  when: fedmsg_debug_loopback == true
  tags:
  - fedmsg_loopback
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Overwrite standard config with local fedmsg debugging loopback
  ansible.builtin.copy: src=relay-debug-loopback.py dest=/etc/fedmsg.d/relay.py
  when: fedmsg_debug_loopback == true
  tags:
  - fedmsg_loopback
  - fedmsg/base
  notify:
  - Reload httpd
  - Restart fedmsg-gateway
  - Restart fedmsg-hub
  - Restart fedmsg-irc
  - Restart fedmsg-relay

- name: Start fedmsg-relay, only for loopback testing
  service: name=fedmsg-relay state=started
  when: fedmsg_debug_loopback == true
  tags:
  - fedmsg_loopback
  - fedmsg/base

- name: Setup /etc/pki/fedmsg directory
  ansible.builtin.file: path=/etc/pki/fedmsg owner=root group=root mode=0755 state=directory
  tags:
  - config
  - fedmsg/base

- name: Install fedmsg ca.cert
  ansible.builtin.copy: >
    src="{{ private }}/files/fedmsg-certs/keys/ca.crt"
    dest=/etc/pki/fedmsg/ca.crt
    owner=root
    group=root
    mode=0644
  tags:
  - config
  - fedmsg/base

- name: Fedmsg certs
  ansible.builtin.copy: >
    src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(inventory_hostname)}}.crt"
    dest=/etc/pki/fedmsg/
    mode=644
    owner={{item['owner']}}
    group={{item['group']}}
  with_items:
  - "{{ fedmsg_certs }}"
  when: fedmsg_certs != []
  tags:
  - config
  - fedmsg/base

- name: Fedmsg keys
  ansible.builtin.copy: >
    src="{{ private }}/files/fedmsg-certs/keys/{{item['service']}}-{{fedmsg_fqdn | default(inventory_hostname)}}.key"
    dest=/etc/pki/fedmsg/
    mode=0640
    owner={{item['owner']}}
    group={{item['group']}}
  with_items:
  - "{{ fedmsg_certs }}"
  when: fedmsg_certs != []
  tags:
  - config
  - fedmsg/base

# Three tasks for handling our custom selinux module
- name: Ensure a directory exists for our custom selinux module
  ansible.builtin.file: dest=/usr/local/share/fedmsg state=directory
  tags:
  - fedmsg/base

- name: Copy over our custom selinux module
  ansible.builtin.copy: src=selinux/fedmsg.pp dest=/usr/local/share/fedmsg/fedmsg.pp
  register: selinux_module
  tags:
  - fedmsg/base

- name: Install our custom selinux module
  ansible.builtin.command: semodule -i /usr/local/share/fedmsg/fedmsg.pp
  when: selinux_module is changed
  tags:
  - fedmsg/base

# Also, label the ports that we commonly use for fedmsg under mod_wsgi
# to be http_port_t so selinux lets apache bind there.
- name: Check semanage ports
  ansible.builtin.command: semanage port -l
  register: semanageoutput
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - fedmsg/base

- name: Set ports so httpd can bind to fedmsg endpoints
  ansible.builtin.command: semanage port -a -t http_port_t -p tcp 3000-3100
  when: semanageoutput.stdout.find("3000-3100") == -1
  tags:
  - fedmsg/base

- name: Check if the nrpe user exists
  ansible.builtin.shell: /usr/bin/getent passwd nrpe | /usr/bin/wc -l | tr -d ' '
  register: nrpe_exists
  check_mode: no
  changed_when: "1 != 1"
  tags:
  - fedmsg/base

- name: Add nrpe user to the fedmsg group if it exists
  user: name=nrpe groups=fedmsg append=yes
  when: nrpe_exists.stdout == "1"
  tags:
  - fedmsg/base