---
- block:
  - name: Install the php postgresql driver
    apt: name={{ simplesaml_php_pg_driver }} state=present cache_valid_time=1800
    when: simplesaml_use_postgresql

  - name: Install the php ldap driver
    apt: name={{ simplesaml_php_ldap_driver }} state=present cache_valid_time=1800
    when: simplesaml_use_ldap

  - name: Install the php redis driver
    apt: name={{ simplesaml_php_redis_driver }} state=present cache_valid_time=1800
    when: simplesaml_use_redis_sessions

  - name: Install the php memcache driver
    apt: name={{ simplesaml_php_memcache_driver }} state=present cache_valid_time=1800
    when: simplesaml_use_memcache_sessions

  - name: Ensure that the data, log, etc dirs exist
    file: path={{ item }} state=directory owner={{ simplesaml_user }} mode=0700
    with_items:
      - '{{ simplesaml_tmp_dir }}'
      - '{{ simplesaml_cert_dir}}'
      - '{{ simplesaml_data_dir }}'
      - '{{ simplesaml_log_dir }}'
      - '{{ simplesaml_maintenance_dir }}'

  - name: Ensure that the download dir exists
    file: path={{ item }} state=directory
    with_items:
      - '{{ simplesaml_download_dir }}'

  - name: Verify if the simplesaml dest data exists
    stat: path={{ simplesaml_install_dir }}
    register: simplesaml_inst_dir_status

  - name: Download the simplesaml distribution file
    get_url: url={{ simplesaml_tar_url }} dest={{ simplesaml_download_dir }} validate_certs=yes
    when: simplesaml_inst_dir_status.stat.isdir is not defined

  - name: Unpack the simplesaml distribution file
    unarchive: src={{ simplesaml_download_dir }}/{{ simplesaml_dist_file }} dest={{ simplesaml_srv_base_dir }} remote_src=yes
    when: simplesaml_inst_dir_status.stat.isdir is not defined

  - name: Move the simplesaml distribution data
    shell: mv {{ simplesaml_srv_base_dir }}/{{ simplesaml_dist_basename }} {{ simplesaml_install_dir }}
    when: simplesaml_inst_dir_status.stat.isdir is not defined

  - name: Create the secret salt
    shell: LC_CTYPE=C tr -c -d '0123456789abcdefghijklmnopqrstuvwxyz' </dev/urandom | dd bs=32 count=1 2>/dev/null > '{{ simplesaml_maintenance_dir }}/.simplesaml_salt'
    args:
      creates: '{{ simplesaml_maintenance_dir }}/.simplesaml_salt'
    tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ]

  - name: Get the salt value, encode
    slurp: src={{ simplesaml_maintenance_dir }}/.simplesaml_salt
    register: simplesaml_salt_encoded_value
    tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ]

  - name: Decode the salt value
    set_fact: 
      simplesaml_salt_value: "{{ simplesaml_salt_encoded_value['content'] | b64decode }}"
    tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ]

  - name: Install the simplesaml config files
    template: src={{ item }}.php dest={{ simplesaml_install_dir }}/config/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
    with_items:
      - config
      - authsources
    tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_config' ]

  - name: Install some metadata files
    template: src={{ item }}.php dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
    with_items:
      - saml20-idp-hosted
  
  - name: Install some metadata files
    template: src={{ item }}.php dest={{ simplesaml_install_dir }}/metadata/{{ item }}.php owner=root group={{ simplesaml_user }} mode=0640
    with_items:
      - saml20-sp-remote
    when: simplesaml_global_sp_remote_template


  tags: [ 'simplesaml', 'simplesaml_php' ]

- block:
  - name: Create a long lived self signed certificate for simplesaml
    shell: openssl req -x509 -newkey rsa:2048 -keyout {{ simplesaml_cert_dir }}/key.pem -out {{ simplesaml_cert_dir }}/server.crt -days 3650 -nodes -subj '/CN={{ simplesaml_servername }}'
    args:
      creates: '{{ simplesaml_cert_dir }}/server.crt'
    run_once: True
    when: ansible_fqdn == simplesaml_create_self_signed_cert_host

  - name: Copy the self signed certificate from the first server to all the others
    synchronize: src={{ simplesaml_cert_dir }}/server.crt dest={{ simplesaml_cert_dir }}/server.crt mode=push checksum=yes
    delegate_to: '{{ simplesaml_create_self_signed_cert_host }}'
    when: ansible_fqdn != simplesaml_create_self_signed_cert_host

  - name: Copy the self signed key from the first server to all the others
    synchronize: src={{ simplesaml_cert_dir }}/key.pem dest={{ simplesaml_cert_dir }}/key.pem mode=push checksum=yes
    delegate_to: '{{ simplesaml_create_self_signed_cert_host }}'
    when: ansible_fqdn != simplesaml_create_self_signed_cert_host

  - name: Fix the self certificate key permissions
    file: dest={{ simplesaml_cert_dir }}/key.pem owner={{ simplesaml_user }} mode=0400
  
  when: not simplesaml_provide_an_external_cert | bool
  tags: [ 'simplesaml', 'simplesaml_php', 'simplesaml_cert' ]

- block:
  - name: Install the nginx virtualhosts
    template: src=nginx-virthost.conf dest=/etc/nginx/sites-available/{{ item.virthost }} owner=root group=root mode=0444
    with_items: '{{ phpfpm_pools }}'
    notify: Reload nginx

  - name: Enable the nginx virtualhosts
    file: src=/etc/nginx/sites-available/{{ item.virthost }} dest=/etc/nginx/sites-enabled/{{ item.virthost }} state=link
    with_items: '{{ phpfpm_pools }}'
    notify: Reload nginx

  - name: Create the nginx body temp directory
    file: dest={{ nginx_client_body_temp_dir }} state=directory owner=www-data group=www-data mode=1700
    when: nginx_client_body_temp_dir is defined

  tags: [ 'simplesaml', 'simplesaml_php', 'nginx', 'virtualhost' ]