---
#
# edX Configuration
#
# github:     https://github.com/edx/configuration
# wiki:       https://openedx.atlassian.net/wiki/display/OpenOPS
# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
#
#
#
# Tasks for role certs
#
# Overview:
#
# Installs the edX certificate server.
#
# The certificates repo is currently *not* public
# due to sensitive information in it, it may be made
# public in the future.
#
# Dependencies:
#   - common
#   - supervisor
#
#
# Example play:
#
#   - roles:
#     - common
#     - supervisor
#     - certs
#
- name: Create application user
  user:
    name: "{{ certs_user }}"
    home: "{{ certs_app_dir }}"
    createhome: no
    shell: /bin/false

- name: Create certs app dirs
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ certs_user }}"
    group: "{{ common_web_group }}"
  with_items:
    - "{{ certs_app_dir }}"
    # needed for the ansible 1.5 git module
    - "{{ certs_app_dir }}/.ssh"
    - "{{ certs_venvs_dir }}"
    - "{{ certs_data_dir }}"

# The certs web root must be owned
# by the web user so the certs service
# can write files there.
- name: Create certs web root
  file:
    path: "{{ CERTS_WEB_ROOT }}"
    state: directory
    owner: "{{ common_web_group }}"
    group: "{{ certs_user }}"

- name: Create certs gpg dir
  file:
    path: "{{ certs_gpg_dir }}"
    state: directory
    owner: "{{ common_web_user }}"
    mode: "0700"

- name: Copy the private gpg signing key
  copy:
    src: "{{ CERTS_LOCAL_PRIVATE_KEY }}"
    dest: "{{ certs_app_dir }}/{{ CERTS_LOCAL_PRIVATE_KEY | basename }}"
    owner: "{{ common_web_user }}"
    mode: "0600"
  register: certs_gpg_key
  no_log: True

- name: Copy the pgp trust export
  copy:
    content: "{{ CERTS_OWNER_TRUST }}"
    dest: "{{ certs_app_dir }}/trust.export"
    owner: "{{ common_web_user }}"
    mode: "0600"

- name: Load the gpg key
  shell: "/usr/bin/gpg --homedir {{ certs_gpg_dir }} --import {{ certs_app_dir }}/{{ CERTS_LOCAL_PRIVATE_KEY | basename }}"
  become_user: "{{ common_web_user }}"
  when: certs_gpg_key.changed

- name: Import the trust export
  shell: "/usr/bin/gpg --homedir {{ certs_gpg_dir }} --import-ownertrust {{ certs_app_dir }}/trust.export"
  become_user: "{{ common_web_user }}"
  when: certs_gpg_key.changed

- include: deploy.yml
  tags:
    - deploy