---
- name: install stuff
  apt:
    name: 
      - default-jre
      - unzip
      - apache2
    update_cache: yes

- name: create user for keycloak
  user:
    name: keycloak
    state: present
    shell: /bin/false
    system: yes
    createhome: yes
    home: /opt/keycloak

- name: check if keycloak-dir exists
  stat:
    path: /opt/keycloak/keycloak-13.0.1
  register: keycloak_exists

- name: Extract keycloak-13.0.1.tar.gz to /opt/keycloak
  unarchive:
    src: keycloak-13.0.1.tar.gz
    dest: /opt/keycloak
    owner: keycloak
    group: keycloak
  when: not keycloak_exists.stat.exists or redeploy is defined

- name: link /opt/keycloak/keycloak-13.0.1 to /opt/keycloak/current
  file:
    state: link
    src: /opt/keycloak/keycloak-13.0.1
    dest: /opt/keycloak/current

- name: generate /etc/systemd/system/keycloak.service
  template:
    src: keycloak.service.j2
    dest: /etc/systemd/system/keycloak.service
    owner: root
    group: root
    mode: "0644"
  notify:
    - reload systemd

- name: generate /opt/keycloak/current/standalone/configuration/standalone.xml
  template:
    src: standalone.xml.j2
    dest: /opt/keycloak/current/standalone/configuration/standalone.xml
  notify:
    - restart keycloak

- name: enable keycloak
  systemd:
    name: keycloak
    enabled: yes
    masked: no

- name: set permissions correct
  file:
    dest: /opt/keycloak
    owner: keycloak
    group: keycloak
    mode: "0770"
    recurse: yes

- name: Flush handlers
  meta: flush_handlers

- name: enable keycloak
  systemd:
    name: keycloak
    enabled: yes
    masked: no
  notify:
    restart keycloak

- name: Flush handlers
  meta: flush_handlers

- name: check if /opt/keycloak/current/adminuseradded.txt exists
  stat:
    path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json 
  register: adminuseradded_exists

- name: check if /opt/keycloak/current/standalone/configuration/keycloak-add-user.json exists
  stat:
    path: /opt/keycloak/current/standalone/configuration/keycloak-add-user.json 
  when: not adminuseradded_exists.stat.exists
  register: keycloak_add_user_exists

- name: check if user exists
  shell: "grep username /opt/keycloak/current/standalone/configuration/keycloak-add-user.json | grep admin"
  register: userexists
  when: not adminuseradded_exists.stat.exists and keycloak_add_user_exists.stat.exists

- name: create initial admin user
  command: sudo -u keycloak /opt/keycloak/current/bin/add-user-keycloak.sh -u admin -p {{ keycloak_initial_admin_password }} -r master
  when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
  notify:
    restart keycloak

- name: create initial admin user
  command: sudo -u keycloak touch /opt/keycloak/current/adminuseradded.txt
  when: not keycloak_add_user_exists.stat.exists or userexists.stdout == ""
  notify:
    restart keycloak

- name: set permissions correct again
  file:
    dest: /opt/keycloak
    owner: keycloak
    group: keycloak
    mode: "0770"
    recurse: yes

- name: enable apache module proxy
  command: a2enmod proxy
  args:
    creates: /etc/apache2/mods-enabled/proxy.load
  notify:
    restart apache2

- name: enable apache module proxy_html
  command: a2enmod proxy_html
  args:
    creates: /etc/apache2/mods-enabled/proxy_html.load
  notify:
    restart apache2

- name: enable apache module proxy_http
  command: a2enmod proxy_http
  args:
    creates: /etc/apache2/mods-enabled/proxy_http.load
  notify:
    restart apache2

- name: enable apache module proxy_http2
  command: a2enmod proxy_http2
  args:
    creates: /etc/apache2/mods-enabled/proxy_http2.load
  notify:
    restart apache2

- name: enable apache module ssl
  command: a2enmod ssl
  args:
    creates: /etc/apache2/mods-enabled/ssl.load
  notify:
    restart apache2

- name: enable apache module headers
  command: a2enmod headers
  args:
    creates: /etc/apache2/mods-enabled/headers.load
  notify:
    restart apache2

- name: enable apache module rewrite
  command: a2enmod rewrite
  args:
    creates: /etc/apache2/mods-enabled/rewrite.load
  notify:
    restart apache2

- name: install acme.sh
  include_role:
    name: acmesh

- name: set amce server url
  set_fact:
    acmeshserver: "--server {{ acme_sh_server }} --insecure --force --days 1"
  when: acme_sh_server is defined

- name: set amce server url
  set_fact:
    acmeshserver: ""
  when: not acme_sh_server is defined
  
- name: get certificates
  command: /root/.acme.sh/acme.sh --issue --apache {{ acmeshserver }} -d {{ inventory_hostname }} --email {{ acme_sh_email }} --key-file /etc/ssl/private/{{ inventory_hostname }}.key --fullchain-file /etc/ssl/certs/{{ inventory_hostname }}.pem --reloadcmd "service apache2 reload"
  args:
    creates: /etc/ssl/private/{{ inventory_hostname }}.key

- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
  template:
    src: apache.conf.j2
    dest: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
    owner: root
    group: root
    mode: "0644"
  notify:
    - reload apache2

- name: generate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
  template:
    src: apache-ssl.conf.j2
    dest: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
    owner: root
    group: root
    mode: "0644"
  notify:
    - reload apache2

- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}.conf
  file:
    state: link
    src: /etc/apache2/sites-available/{{ inventory_hostname }}.conf
    dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}.conf
  notify:
    - reload apache2

- name: activate /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
  file:
    state: link
    src: /etc/apache2/sites-available/{{ inventory_hostname }}-ssl.conf
    dest: /etc/apache2/sites-enabled/{{ inventory_hostname }}-ssl.conf
  notify:
    - reload apache2