main.yml

---

- name: Prevent changing GID of existing group.
  block:
  - name: Get groups.
    getent:
      database: group

  - name: Assert that lockss group GID has not changed.
    assert:
      that:
        "'lockss' not in ansible_facts.getent_group or
         ansible_facts.getent_group.lockss[1] == lockss_gid | string"
      fail_msg: GID must be corrected manually.
      quiet: yes
  when: lockss_gid is defined and lockss_gid is not none

- name: Add the lockss group.
  group:
    name: lockss
    state: present
    gid: "{{ lockss_gid | default(omit) }}"

- name: Prevent changing UID of existing user.
  block:
  - name: Get users.
    getent:
      database: passwd

  - name: Assert that lockss user UID has not changed.
    assert:
      that:
        "'lockss' not in ansible_facts.getent_passwd or
         ansible_facts.getent_passwd.lockss[1] == lockss_uid | string"
      fail_msg: UID must be corrected manually.
      quiet: yes
  when: lockss_uid is defined and lockss_uid is not none

- name: Add the lockss user.
  user:
    name: lockss
    state: present
    uid: "{{ lockss_uid | default(omit) }}"
    group: lockss
    shell: /sbin/nologin
    home: /
    create_home: false
    comment: LOCKSS

- name: Add the lockss user to the docker group.
  user:
    name: lockss
    state: present
    groups: docker
    append: true

- name: Configure the firewall.
  include_tasks: firewall.yml
  when: lockss_configure_firewall

- name: Check the storage driver used by Docker.
  command:
    cmd: docker info -f {% raw %}'{{.Driver}}'{% endraw %}
  check_mode: false
  changed_when: false
  register: r

- name: Ensure Docker is using the OverlayFS storage driver.
  assert:
    that: r.stdout == "overlay2"
    quiet: true

- name: Init a new swarm with default parameters.
  docker_swarm:
    state: present
    advertise_addr: lo

- name: Install pystache (Ubuntu).
  package:
    name: python3-pystache=0.5.*
    state: present
  when: ansible_distribution == "Ubuntu"

- name: Create symlink for pystache (Ubuntu).
  file:
    src: /usr/bin/pystache3
    dest: /usr/local/bin/pystache
    owner: root
    state: link
  when: ansible_distribution == "Ubuntu"

- name: Install pystache (CentOS).
  vars:
    ansible_python_interpreter: python3
  pip:
    name:
      - pystache>=0.5,<1.0
    state: present
  when: ansible_distribution == "CentOS"

- name: Install python-pkg-resources (Ubuntu).
  package:
    name:
      - python3-pkg-resources
    state: present
  when: ansible_distribution == "Ubuntu"

- name: Install git.
  package:
    name: git
    state: present

- name: Create LOCKSS source directory.
  file:
    path: /usr/src/lockss
    state: directory
    owner: lockss
    mode: 0755

- name: Pull LOCKSS repository.
  git:
    repo: "{{ lockss_git_url }}"
    dest: /usr/src/lockss
    version: "{{ lockss_git_version }}"
    depth: 1
  become: true
  become_user: lockss
  when: not ansible_check_mode

- name: Install ifconfig.
  package:
    name: net-tools
    state: present

- name: Install LOCKSS configuration.
  copy:
    dest: /usr/src/lockss/config/config.info
    owner: lockss
    mode: 0644
    content: |
      LOCKSS_CONFIG_VERSION=2
      LOCKSS_USER=lockss
      LOCKSS_HOSTNAME={{ lockss_hostname | quote }}
      LOCKSS_IPADDR={{ lockss_ipaddr | quote }}
      LOCKSS_EXTERNAL_IPADDR={{ lockss_external_ipaddr | quote }}
      LOCKSS_V3_PORT=9729
      LOCKSS_ACCESS_SUBNET={{ lockss_access_subnet | quote }}
      LOCKSS_MAILHUB={{ lockss_mailhub_host | default("localhost") | quote }}
      LOCKSS_MAILHUB_USER={{ lockss_mailhub_user | default | quote }}
      LOCKSS_MAILHUB_PASSWORD={{ lockss_mailhub_password | default | quote }}
      LOCKSS_EMAIL={{ lockss_admin_email | quote }}
      LOCKSS_PROPS_URL={{ lockss_props_url | quote }}
      LOCKSS_PROPS_PROXY=NONE
      LOCKSS_PROPS_SERVER_AUTHENTICATE_KEYSTORE=
      LOCKSS_TEST_GROUP=demo
      LOCKSS_DATA_DIR={{ lockss_data_dir | quote }}
      LOCKSS_LOGS_DIR=/var/log/lockss
      LOCKSS_ADMIN_USER={{ lockss_ui_user | default("admin") | quote }}
      LOCKSS_ADMIN_PASSWD=SHA-256:{{ lockss_ui_password | hash('sha256') }}
      LOCKSS_DB_PASSWD=SHA-256:{{ lockss_db_password | hash('sha256') }}
      LOCKSS_PROXY_PORT=24670
      LOCKSS_TMPDIR=/tmp
      LOCKSS_CLEAR_TMPDIR=no

- name: Shut down LOCKSS containers.
  command:
    cmd: scripts/shutdown-lockss
    chdir: /usr/src/lockss
  become: true
  become_user: lockss
  when: not ansible_check_mode

- name: Add Docker secret for UI password.
  vars:
    ansible_python_interpreter: python3
  docker_secret:
    name: lockss_ui_pass
    state: present
    data: "{{ lockss_ui_password }}"

- name: Add Docker secret for database password.
  vars:
    ansible_python_interpreter: python3
  docker_secret:
    name: lockss-postgres-pass
    state: present
    data: "{{ lockss_db_password }}"

- name: Create LOCKSS data directory.
  file:
    path: /var/lib/lockss
    state: directory
    owner: lockss
    mode: 0700

- name: Create LOCKSS log directory.
  file:
    path: /var/log/lockss
    state: directory
    owner: lockss
    group: adm
    mode: 02770

# FIXME: These are not idempotent.

# FIXME: This could probably be a handler.
- name: Build LOCKSS configuration.
  command:
    cmd: scripts/generate-lockss
    chdir: /usr/src/lockss
  become: true
  become_user: lockss
  when: not ansible_check_mode

# FIXME: LOCKSS's scripts are yucky. Should we care?
- name: Stop running LOCKSS containers.
  command:
    cmd: scripts/shutdown-lockss
    chdir: /usr/src/lockss
  become: true
  become_user: lockss
  when: not ansible_check_mode

- name: Assemble LOCKSS containers.
  command:
    cmd: scripts/assemble-lockss
    chdir: /usr/src/lockss
  become: true
  become_user: lockss
  when: not ansible_check_mode

- name: Deploy LOCKSS containers.
  command:
    cmd: scripts/deploy-lockss
    chdir: /usr/src/lockss
  become: true
  become_user: lockss
  when: not ansible_check_mode