- name: ensure lego is installed
  package:
    name: golang-github-acme-lego
    state: present
  tags:
  - install

- name: ensure haproxy is configured for domain controllers
  template:
    src: samba-dc.haproxy.cfg
    dest: /etc/haproxy/conf.d/40-samba-dc.cfg
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload haproxy
  tags:
  - haproxy

- name: flush handlers
  meta: flush_handlers

- name: ensure acme/http port is allowed in firewall
  firewalld:
    port: '{{ item }}'
    state: enabled
  loop:
  - 80/tcp
  - 5000/tcp
  when: host_uses_firewalld|d(true)
  notify:
  - save firewalld configuration
  tags:
  - firewalld

- name: wait for dns records to propagate
  delegate_to: localhost
  become: false
  command: 'true'
  until: >-
    ansible_default_ipv4.address in lookup("dig", krb5_realm | lower) and
    ansible_default_ipv4.address in lookup("dig", ansible_fqdn)
  delay: 60
  retries: 15
  changed_when: false
  tags:
  - wait-for-dns

- name: ensure samba server certificate exists
  command:
    lego
    --path /var/lib/samba/.lego
    --accept-tos
    --server {{ samba_cert_acme_server }}
    --http --http.port :5000
    --domains {{ ansible_fqdn }}
    --domains {{ krb5_realm | lower }}
    --email {{ samba_cert_acme_email }}
    run
  args:
    creates: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.json
  notify:
  - restart samba
  tags:
  - cert

- name: ensure samba server certificate renewal service is installed
  template:
    src: samba-cert-renew.service.j2
    dest: /etc/systemd/system/samba-cert-renew.service
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload systemd
  tags:
  - systemd

- name: ensure samba server certificate renewal timer is installed
  template:
    src: samba-cert-renew.timer.j2
    dest: /etc/systemd/system/samba-cert-renew.timer
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload systemd
  - restart samba-cert-renew.timer
  tags:
  - systemd

- name: flush handlers
  meta: flush_handlers

- name: ensure samba-cert-renew timer is running
  systemd:
    name: samba-cert-renew.timer
    state: started
  tags:
  - service
- name: ensure samba-cert-renew timer starts at boot
  systemd:
    name: samba-cert-renew.timer
    enabled: true
  tags:
  - service

- name: ensure samba certificate files are linked
  file:
    path: /etc/samba/{{ item.path }}
    src: '{{ item.dest }}'
    force: true
    state: link
  loop:
  - path: server.cer
    dest: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.crt
  - path: server.key
    dest: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.key
  - path: ca.crt
    dest: /dev/null
  notify:
  - restart samba
  tags:
  - cert