servers/roles/friwall/tasks/main.yml

- name: Create friwall group
  group:
    name: friwall
    system: yes

- name: Create friwall user
  user:
    name: friwall
    system: yes
    home: /srv/friwall
    shell: /sbin/nologin
    generate_ssh_key: yes
    ssh_key_comment: "{{ inventory_hostname }}"
    ssh_key_type: ed25519

- name: Install packages
  package:
    name: git,inotify-tools,py3-pip,procps-ng,rsync,uwsgi,uwsgi-python3,wireguard-tools

- name: Clone web files
  become: yes
  become_user: friwall
  become_method: su
  become_flags: "-s /bin/sh"
  git:
    repo: '{{ password.friwall_repo }}'
    dest: /srv/friwall/app
    force: yes
  notify: reload uwsgi

- name: Install requirements
  become: yes
  become_user: friwall
  become_method: su
  become_flags: '-s /bin/sh'
  pip:
    requirements: /srv/friwall/app/requirements.txt
    extra_args: --user --break-system-packages --no-warn-script-location
  notify: restart uwsgi

- name: Ensure setting files exist
  copy:
    dest: "/srv/friwall/{{ item }}.json"
    content: |
      {}
    owner: friwall
    group: friwall
    mode: 0600
    force: no
  loop:
    - nodes
    - settings
  notify: restart uwsgi

- name: Configure list of networks
  template:
    dest: "/srv/friwall/networks.json"
    src: "networks.json.j2"
    owner: friwall
    group: friwall
    mode: 0600

- name: Configure uwsgi
  copy:
    dest: /etc/uwsgi/
    src: uwsgi.ini
  notify: restart uwsgi

- name: Configure uwsgi instance
  copy:
    dest: /etc/uwsgi/conf.d/
    src: friwall.ini
    owner: friwall
    group: friwall

- name: Enable uwsgi
  service:
    name: uwsgi
    enabled: yes
    state: started

- name: Configure nginx instance
  template:
    dest: /etc/nginx/http.d/friwall.conf
    src: nginx.conf.j2
  notify: reload nginx

- name: Install config pusher initscript
  copy:
    dest: /etc/init.d/pusher
    src: pusher.initd
    mode: 0755
  notify: restart pusher

- name: Enable config pusher service
  service:
    name: pusher
    enabled: true
    state: started

- name: Regenerate config daily
  cron:
    name: "regenerate config"
    job: "cd ~/app ; FLASK_APP=web python3 -m flask generate"
    user: friwall
    hour: "3"
    minute: "33"

- name: Try (re-)pushing config periodically
  cron:
    name: "push config"
    job: "cd ~/app ; FLASK_APP=web python3 -m flask push"
    user: friwall
    minute: "*/15"