---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: LDAP Account Manager
### ⇐ UPSTREAM BEGIN ###

- name: install AUR software
  include_role:
    name: aur.inc
    allow_duplicates: true
  vars:
    packages:
      - ldap-account-manager
    aur_user: git

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: LDAP Account Manager
### ⇐ UPSTREAM END ###

- name: ensure some directories exist
  file:
    path: /etc/webapps/ldap-account-manager/{{item}}
    state: directory
    group: http
    mode: 0770
  with_items:
    - pdf
    - profiles
    - pdf/{{nickname}}
    - profiles/{{nickname}}

- name: create the template-based PDF configuration
  shell: |
    cp -al templates/pdf/* "pdf/{{nickname}}/"
  args:
    chdir: /etc/webapps/ldap-account-manager
    creates: /etc/webapps/ldap-account-manager/pdf/{{nickname}}/*

- name: create the template-based profile configuration
  shell: |
    cp -al templates/pdf/* templates/profiles/* "profiles/{{nickname}}/"
  args:
    chdir: /etc/webapps/ldap-account-manager
    creates: /etc/webapps/ldap-account-manager/profiles/{{nickname}}/*

- name: main lam configuration
  copy:
    remote_src: true
    src: /etc/webapps/ldap-account-manager/config.cfg.sample
    dest: /etc/webapps/ldap-account-manager/config.cfg
    group: http
    mode: 0660
    force: false

- name: custom lam configuration
  lineinfile:
    path: /etc/webapps/ldap-account-manager/config.cfg
    regexp: '^{{item.key}}:'
    line: '{{item.key}}: {{item.value}}'
  with_dict:
    default: '{{nickname}}'
    logLevel: 4
    logDestination: SYSLOG
    encryptSession: false
    password: '{{lam_master_password}}'
    passwordMinLength: '{{lam_passwordMinLength}}'
    passwordMinUpper: '{{lam_passwordMinUpper}}'
    passwordMinLower: '{{lam_passwordMinLower}}'
    passwordMinNumeric: '{{lam_passwordMinNumeric}}'
    passwordMinSymbol: '{{lam_passwordMinSymbol}}'
    passwordMinClasses: '{{lam_passwordMinClasses}}'
    checkedRulesCount: '{{lam_checkedRulesCount}}'
    passwordMustNotContain3Chars: '{{lam_passwordMustNotContain3Chars}}'
    passwordMustNotContainUser: '{{lam_passwordMustNotContainUser}}'

- name: custom lam profile
  lineinfile:
    path: /etc/webapps/ldap-account-manager/{{nickname}}.conf
    create: true
    group: http
    mode: 0660
    regexp: '^{{item.k}}:'
    line: '{{item.k}}: {{item.v}}'
  with_items:
    - {k: 'Passwd', v: '{{lam_master_password}}'}
    - {k: 'ServerURL', v: 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/'}
    - {k: 'serverDisplayName', v: '{{nickname}}'}
    - {k: 'defaultLanguage', v: '{{locales_default}}'}
    - {k: 'timeZone', v: '{{timezone}}'}
    - {k: 'loginMethod', v: 'search'}
    - {k: 'loginSearchSuffix', v: 'ou=Users,{{ldap_root}}'}
    - {k: 'loginSearchFilter', v: 'uid=%USER%'}
    - {k: 'loginSearchDN', v: ''}
    - {k: 'loginSearchPassword', v: ''}
    - {k: 'httpAuthentication', v: 'true'}
    - {k: 'useTLS', v: 'no'}
    - {k: 'treesuffix', v: '{{ldap_root}}'}
    - {k: 'pwdResetAllowSpecificPassword', v: 'true'}
    - {k: 'pwdResetAllowScreenPassword', v: 'true'}
    - {k: 'pwdResetForcePasswordChange', v: 'true'}
    - {k: 'pwdResetDefaultPasswordOutput', v: '2'}
    - {k: 'tools: tool_hide_toolSchemaBrowser', v: 'true'}
    - {k: 'tools: tool_hide_toolTests', v: 'true'}
    - {k: 'tools: tool_hide_toolServerInformation', v: 'true'}
    - {k: 'tools: tool_hide_toolProfileEditor', v: 'true'}
    - {k: 'tools: tool_hide_toolPDFEditor', v: 'true'}
    - {k: 'tools: tool_hide_toolOUEditor', v: 'true'}
    - {k: 'tools: tool_hide_toolFileUpload', v: 'true'}
    - {k: 'tools: tool_hide_toolMultiEdit', v: 'true'}
    - {k: 'activeTypes', v: 'user,mailAlias'}
    - {k: 'types: suffix_user', v: 'ou=Users,{{ldap_root}}'}
    - {k: 'types: attr_user', v: '#uid;#givenName;#cn;#sn;#mail'}
    - {k: 'types: modules_user', v: 'inetOrgPerson'}
    - {k: 'types: suffix_group', v: 'ou=Groups,{{ldap_root}}'}
    - {k: 'types: attr_group', v: '#cn;#memberUID'}
    - {k: 'types: modules_group', v: 'posixGroup'}
    - {k: 'types: suffix_mailAlias', v: 'ou=Aliases,{{ldap_root}}'}
    - {k: 'types: attr_mailAlias', v: '#cn;#rfc822MailMember'}
    - {k: 'types: modules_mailAlias', v: 'nisMailAlias'}
    - {k: 'modules: posixAccount_pwdHash', v: 'SSHA'}
    - {k: 'modules: inetOrgPerson_hideDescription', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideStreet', v: 'true'}
    - {k: 'modules: inetOrgPerson_hidePostOfficeBox', v: 'true'}
    - {k: 'modules: inetOrgPerson_hidePostalCode', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideLocation', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideState', v: 'true'}
    - {k: 'modules: inetOrgPerson_hidePostalAddress', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideRegisteredAddress', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideOfficeName', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideRoomNumber', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideTelephoneNumber', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideHomeTelephoneNumber', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideMobileNumber', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideFaxNumber', v: 'true'}
    - {k: 'modules: inetOrgPerson_hidePager', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideJobTitle', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideCarLicense', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideEmployeeType', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideBusinessCategory', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideDepartments', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideManager', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideOu', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideO', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideEmployeeNumber', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideInitials', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideuserCertificate', v: 'true'}
    - {k: 'modules: inetOrgPerson_addAddressbook', v: 'false'}
    - {k: 'modules: inetOrgPerson_readOnly_mail', v: 'true'}
    - {k: 'modules: inetOrgPerson_readOnly_uid', v: 'true'}
    - {k: 'modules: inetOrgPerson_hideUID', v: 'false'}

- name: configure nginx for ldap-account-manager
  copy:
    content: |
      location {{http_pfx_lam}} {
        alias /usr/share/webapps/ldap-account-manager;
        autoindex on;
        rewrite ^({{http_pfx_lam}})(/.*?\.php)(/.*)?$ /php...$document_root/...$1/...$2/...$3 last;
      }
    dest: /etc/nginx/inc.d/lam.https.inc
    mode: 0440
    owner: http
    group: http
  notify:
    - restart nginx.service

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: LDAP Account Manager
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers