- name: ensure graylog repository is available
  package:
    name=https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
    state=present
  tags:
  - install

- name: ensure graylog is installed
  package:
    name:
    - java-1.8.0-openjdk-headless
    - graylog-server
    state: present
  tags:
  - install

- name: ensure graylog-server systemd unit drop-in directory is present
  file:
    path: /etc/systemd/system/graylog-server.service.d
    mode: '0755'
    state: directory
- name: ensure graylog-server systemd unit capabilities are configured
  copy:
    src: graylog-server-capabilities.systemd.conf
    dest: /etc/systemd/system/graylog-server.service.d/capabilities.conf
    mode: '0644'
  notify:
  - reload systemd
  - restart graylog
- name: ensure graylog service is configured
  template:
    src=graylog-server.sysconfig.j2
    dest=/etc/sysconfig/graylog-server
    mode=0644
  notify: restart graylog

- name: ensure graylog server is configured
  template:
    src=server.conf.j2
    dest=/etc/graylog/server/server.conf
    owner=root
    group=graylog
    mode=640
  notify: restart graylog

- name: ensure syslog tls server certificate is installed
  copy:
    src={{ item }}
    dest=/etc/graylog/syslog-tls.cer
    owner=root
    group=graylog
    mode=0640
  with_fileglob: files/{{ inventory_hostname }}.cer
# The private key file must be in PKCS#8 format, not the more common PKCS#1
- name: ensure syslog tls server private key is installed
  copy:
    src={{ item }}
    dest=/etc/graylog/syslog-tls.key
    owner=root
    group=graylog
    mode=0640
  with_fileglob: files/{{ inventory_hostname }}.key
- name: ensure syslog tls ca certificate is installed
  copy:
    src={{ item }}
    dest=/etc/graylog/syslog-tls-ca.crt
    owner=root
    group=graylog
    mode=0640
  with_fileglob: files/{{ inventory_hostname }}_ca.crt

- name: ensure firewall is configured for syslog
  firewalld:
    service: '{{ item.service }}'
    permanent: false
    immediate: true
    state: '{{ item.state }}'
  notify: save firewalld configuration
  with_items:
  - service: syslog
    state: '{{ "enabled" if graylog_use_syslog else "disabled" }}'
  - service: syslog-tls
    state: '{{ "enabled" if graylog_use_syslog_tls else "disabled" }}'

- name: ensure apache is allowed to proxy
  seboolean:
    name=httpd_can_network_connect
    persistent=yes
    state=yes

- name: ensure apache is configured to proxy for graylog
  template:
    src=graylog.httpd.conf.j2
    dest=/etc/httpd/conf.d/graylog.conf
    mode=0644
  notify: reload httpd

- name: ensure graylog starts at boot
  service:
    name=graylog-server
    enabled=yes