- name: ensure apache httpd is installed
  package:
    name=httpd,mod_ssl
    state=present
  tags:
  - install

- name: ensure http service keytab is in place
  copy:
    src={{ item }}
    dest=/etc/httpd/krb5.keytab
    mode=0440
    owner=root
    group=apache
  with_fileglob:
  - '{{ inventory_hostname }}.keytab'
  tags:
  - apache-config
  - keytab

- name: ensure tls private key exists
  copy:
    src={{ item }}
    dest={{ apache_ssl_certificate_key }}
    mode=0400
    setype=cert_t
  with_fileglob:
  - '{{ inventory_hostname }}.key'
  notify: reload httpd
  tags:
  - cert
- name: ensure tls certificate exists
  copy:
   src={{ item }}
   dest={{ apache_ssl_certificate }}
   mode=0644
   setype=cert_t
  with_fileglob:
  - '{{ inventory_hostname }}.cer'
  tags:
  - cert
  notify: reload httpd
- name: ensure tls ca certificate exists
  copy:
    src={{ item }}
    dest={{ apache_ssl_ca_certificate }}
    mode=0644
    setype=cert_t
  when: apache_ssl_ca_certificate is defined
  with_fileglob:
  - '{{ inventory_hostname }}-ca.crt'
  notify: reload httpd
  tags:
  - cert
- name: ensure ssl.include is populated
  template:
    src=ssl.include.j2
    dest=/etc/httpd/conf.d/ssl.include
    mode=0644
  notify: reload httpd
  tags:
  - apache-config
- name: ensure mod_ssl is configured
  template:
    src=ssl.conf.j2
    dest=/etc/httpd/conf.d/ssl.conf
    mode=0644
    setype=httpd_config_t
  notify: reload httpd
  tags:
  - apache-config

- name: ensure apache userdir module is configured
  template:
    src=userdir.httpd.conf.j2
    dest=/etc/httpd/conf.d/userdir.conf
    mode=0644
  notify: reload httpd
  tags:
  - apache-config
- name: ensure selinux is configured for apache user directories
  seboolean:
    name=httpd_enable_homedirs
    persistent=yes
    state={{ 'yes' if apache_userdir is defined else 'no' }}
  tags:
  - selinux

- name: ensure apache mpm module is configured
  template:
    src=mpm.httpd.conf.j2
    dest=/etc/httpd/conf.modules.d/00-mpm.conf
    mode=0644
    setype=httpd_config_t
  tags:
  - apache-config
  notify: reload httpd
- name: ensure apache server name is set
  template:
    src=servername.httpd.conf.j2
    dest=/etc/httpd/conf.d/00-servername.conf
    mode=0644
    setype=httpd_config_t
  notify: reload httpd
  tags:
  - apache-config

- name: ensure httpd service starts at boot
  service:
    name=httpd
    enabled=yes
  tags:
  - service

- name: ensure web ports are open in firewall
  firewalld: >-
    port={{ item if '/' in item else omit }}
    service={{ item if '/' not in item else omit }}
    permanent=no
    immediate=yes
    state=enabled
  with_items: '{{ web_ports }}'
  notify: save firewalld configuration
  tags:
  - firewall

- name: ensure old apache logs are rotated
  template:
    src=httpd.logrotate.j2
    dest=/etc/logrotate.d/httpd
    mode=0644
  tags:
  - logrotate