## Install and configure nextcloud.

- name: check if we are installing
  stat: path="{{ nc_dir }}"
  register: nextcloud

- name: check for nextcloud archive
  local_action: stat path=nextcloud.tar.bz2
  become: No
  register: nc_archive
  when: not nextcloud.stat.exists

- name: stop if nextcloud archive is unavailable
  fail:
    msg: >
      The nextcloud archive nextcloud.tar.bz2 is not available.
      Download the latest stable release from 'nextcloud.com',
      check the signature, rename it and copy it next to 'cloudbox.yml'.
  when: >
    not nextcloud.stat.exists and not nc_archive.stat.exists and
    not run_in_installer|default(false)|bool

## We can start with the installation now:

- name: install apache, firewalld, php- and db-packages
  apt:
    name:
      - apache2
      - firewalld
      - mariadb-server
      - python3-pymysql
      - php-apcu
      - php-bcmath
      - php-fpm
      - php-curl
      - php-gd
      - php-gmp
      - php-imagick
      - php-intl
      - php-json
      - php-ldap
      - php-mbstring
      - php-mysql
      - php-xml
      - php-zip
      - unzip
    state: latest

- name: disable apache modules
  apache2_module:
    state: absent
    name: "{{ item }}"
  with_items:
    - mpm_prefork
    - mpm_worker
  notify: "restart apache2"

- name: enable apache modules
  apache2_module:
    name: "{{ item }}"
  with_items:
    - proxy_fcgi
    - mpm_event
    - rewrite
    - headers
    - ssl
    - http2
  notify: "restart apache2"

- name: find php version
  shell: ls /etc/php/ | sort | tail -1
  register: php_ver
  changed_when: False

- name: enable php-fpm conf
  command: a2enconf php{{ php_ver.stdout }}-fpm
  args:
    creates: /etc/apache2/conf-enabled/php{{ php_ver.stdout }}-fpm.conf
  notify: "restart apache2"

- name: tune php-fpm
  replace:
    dest: /etc/php/{{ php_ver.stdout }}/fpm/pool.d/www.conf
    regexp: "{{ item.regex }}"
    replace: "{{ item.replace }}"
  with_items:
    - { regex: "^pm.max_children = .*$", replace: "pm.max_children = 120" }
    - { regex: "^pm.start_servers = .*$", replace: "pm.start_servers = 12" }
    - { regex: "^pm.min_spare_servers = .*$", replace: "pm.min_spare_servers = 6" }
    - { regex: "^pm.max_spare_servers = .*$", replace: "pm.max_spare_servers = 18" }
  notify: "restart php-fpm"

- name: increase php memory limit
  replace:
    dest: "/etc/php/{{ php_ver.stdout }}/fpm/php.ini"
    regexp: "^memory_limit = .*"
    replace: "memory_limit = 512M"
  notify: "restart apache2"

- name: provide nextcloud site
  copy:
    src: nextcloud.conf
    dest: /etc/apache2/sites-available/nextcloud.conf
  notify: "restart apache2"

- name: enable nextcloud site
  command: a2ensite nextcloud.conf
  args:
    creates: /etc/apache2/sites-enabled/nextcloud.conf
  notify: "restart apache2"

- name: enable https
  shell: 'grep -q "VirtualHost .*:443" * || a2ensite default-ssl.conf'
  args:
    chdir: /etc/apache2/sites-enabled/
    creates: default-ssl.conf
  notify: "restart apache2"
  register: cmd_result
  changed_when: cmd_result.stdout != '' and cmd_result.stdout is not search('skipped')

- name: make sure data directory exists
  file:
    path: "{{ data_dir }}"
    state: directory
    owner: www-data
    group: www-data

## install nextcloud:
- name: download nextcloud archive
  get_url:
    url: "{{ nc_download }}"
    dest: /tmp/nextcloud.tar.bz2
    checksum: "{{ nc_checksum }}"
  when: run_in_installer|default(false)|bool

- name: unpack downloaded nextcloud archive
  unarchive:
    src: /tmp/nextcloud.tar.bz2
    dest: "{{ www_root }}"
    owner: www-data
    group: www-data
    remote_src: Yes
  when: not nextcloud.stat.exists and run_in_installer|default(false)|bool

- name: unpack provided nextcloud archive
  unarchive:
    src: nextcloud.tar.bz2
    dest: "{{ www_root }}"
    owner: www-data
    group: www-data
  when: not nextcloud.stat.exists and not run_in_installer|default(false)|bool

- name: start mariadb during installation
  command: /etc/init.d/mysql start
  when: run_in_installer|default(false)|bool

- name: create database with name 'nextcloud'
  mysql_db:
    login_unix_socket: /var/run/mysqld/mysqld.sock
    name: nextcloud
    state: present
  when: not nextcloud.stat.exists

- name: create database user 'nextcloud'
  mysql_user:
    login_unix_socket: /var/run/mysqld/mysqld.sock
    name: nextcloud
    password: "{{ db_nextcloud_pwd }}"
    priv: 'nextcloud.*:ALL'
    state: present
  when: not nextcloud.stat.exists

- name: initialize nextcloud
  command:
    cmd: >
      sudo -u www-data php ./occ maintenance:install
      --database "mysql"
      --database-name "nextcloud"
      --database-user "nextcloud"
      --database-pass "{{ db_nextcloud_pwd }}"
      --admin-user "nc-admin"
      --admin-pass "{{ nc_admin_pwd }}"
      --data-dir "{{ data_dir }}"
  args:
    chdir: "{{ nc_dir }}"
  no_log: True
  when: not nextcloud.stat.exists

- name: dump nc-admin password
  shell: echo -n "{{ nc_admin_pwd }}" > "{{ nc_admin_pwd_file }}" ; chmod 0600 "{{ nc_admin_pwd_file }}"
  no_log: True
  when: not nextcloud.stat.exists

- name: enable APCu memcache
  command: sudo -u www-data php ./occ config:system:set memcache.local --value='\OC\Memcache\APCu'
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not nextcloud.stat.exists

- name: allow access from LAN
  command: sudo -u www-data php ./occ config:system:set trusted_domains 1 --value='192.168.*.*'
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not nextcloud.stat.exists

## nextcloudcron
- name: provide nextcloudcron.service and .timer
  copy:
    src: "{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
  with_items:
    - nextcloudcron.service
    - nextcloudcron.timer
  notify: "enable nextcloudcron.timer"

- name: check/run upgrade
  command: sudo -u www-data php updater.phar --no-interaction
  args:
    chdir: "{{ nc_dir }}/updater"
    warn: False
  register: cmd_result
  changed_when: cmd_result.stdout is not search('Nothing to do.')
  when: allow_download|bool

## app updates and installations:
- name: update apps
  command: "sudo -u www-data php ./occ app:update --all"
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  register: cmd_result
  changed_when: cmd_result.stdout | length > 0
  when: allow_download|bool

- name: install extra apps
  command: "sudo -u www-data php ./occ app:install {{ item }}"
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  with_items: "{{ nc_apps }}"
  register: cmd_result
  changed_when: cmd_result.stdout is not search('already installed')
  failed_when:  cmd_result.stdout is not search('already installed') and cmd_result.rc != 0
  when: allow_download|bool or run_in_installer|default(false)|bool

## nextcloud maintenance
- name: add missing indices
  command: "sudo -u www-data php ./occ db:add-missing-indices"
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  register: cmd_result
  changed_when: cmd_result.stdout is search('table updated successfully')

- name: add missing columns
  command: "sudo -u www-data php ./occ db:add-missing-columns"
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  register: cmd_result
  changed_when: cmd_result.stdout is search('table updated successfully')


- name: add default NIC to public zone
  firewalld:
    interface: "{{ ansible_default_ipv4.interface }}"
    zone: public
    permanent: Yes
    immediate: Yes
    state: enabled
  when: not run_in_installer|default(false)|bool

- name: add default NIC to public zone, offline
  command: "firewall-offline-cmd --add-interface={{ ansible_default_ipv4.interface }} --zone=public"
  when: run_in_installer|default(false)|bool

- name: allow https in firewalld
  firewalld:
    zone: public
    service: https
    permanent: Yes
    immediate: Yes
    state: enabled
  when: not run_in_installer|default(false)|bool

- name: allow https in firewalld, offline
  command: "firewall-offline-cmd --add-service=https"
  when: run_in_installer|default(false)|bool

#################################################################
## kerberox integration:

- name: install libapache2-mod-auth-gssapi
  apt:
    name: libapache2-mod-auth-gssapi
    state: latest
  when: "'kerberize' in role_names"
  notify: "restart apache2"

- name: copy keytab for www-data
  copy:
    src: /etc/krb5.keytab
    dest: /etc/krb5.keytab.http
    group: www-data
    mode: "0640"
    remote_src: yes
    force: no
  when: "'kerberize' in role_names"
  notify: "restart apache2"

- name: provide kerberos SSO config
  copy:
    src: krb5-nextcloud.conf
    dest: /etc/apache2/sites-available/krb5-nextcloud.conf
  when: "'kerberize' in role_names"
  notify: "restart apache2"

- name: enable kerberos access to nextcloud site
  command: a2ensite krb5-nextcloud.conf
  args:
    creates: /etc/apache2/sites-enabled/krb5-nextcloud.conf
  notify: "restart apache2"
  when: "'kerberize' in role_names"

- name: allow https in firewalld
  firewalld:
    zone: internal
    service: https
    permanent: Yes
    immediate: Yes
    state: enabled
  when: not run_in_installer|default(false)|bool and 'kerberize' in role_names

- name: allow https in firewalld, offline
  command: "firewall-offline-cmd --add-service=https --zone=internal"
  when: run_in_installer|default(false)|bool and 'kerberize' in role_names

- name: allow access from kerberized LAN
  command: sudo -u www-data php ./occ config:system:set trusted_domains 2 --value='{{ ansible_hostname }}.{{ ansible_domain }}'
  args:
    chdir: "{{ nc_dir }}"
    warn: False
  when: not nextcloud.stat.exists and 'kerberize' in role_names


# sudo -u www-data php ./occ app:enable user_ldap
# sudo -u www-data php ./occ app:install user_saml
# sudo -u www-data php ./occ ldap