- name: Install cgit
  apt: pkg={{ packages }}
  vars:
    packages:
    - cgit
    - highlight
    - fcgiwrap

- name: Stop and disable fcgiwrap socket
  service: name=fcgiwrap.socket state=stopped enabled=false

- name: Stop fcgiwrap service
  service: name=fcgiwrap.service state=stopped

- name: Configure cgit
  copy: src=etc/cgitrc
        dest=/etc/cgitrc
        owner=root group=root
        mode=0644
  notify:
    - Stop cgit

- name: Copy /usr/lib/cgit/filters/syntax-highlighting2.sh
  copy: src=usr/lib/cgit/filters/syntax-highlighting2.sh
        dest=/usr/lib/cgit/filters/syntax-highlighting2.sh
        owner=root group=root
        mode=0755
  notify:
    - Stop cgit

- name: Create '_cgit' user
  user: name=_cgit system=yes
        group=nogroup
        home=/nonexistent
        shell=/usr/sbin/nologin
        password=!
        state=present
  notify:
    - Stop cgit

# Make it sticky: `dpkg-statoverride --add _cgit nogroup 0700 /var/cache/cgit`
- name: Create cache directory /var/cache/cgit
  file: path=/var/cache/cgit
        state=directory
        owner=_cgit group=nogroup
        mode=0700

- name: Copy cgit service unit
  copy: src=etc/systemd/system/cgit.service
        dest=/etc/systemd/system/cgit.service
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Stop cgit

- name: Copy cgit socket unit
  copy: src=etc/systemd/system/cgit.socket
        dest=/etc/systemd/system/cgit.socket
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Restart cgit

- name: Disable cgit service
  service: name=cgit.service enabled=false

- name: Start cgit socket
  service: name=cgit.socket state=started enabled=true

- meta: flush_handlers


- name: Copy git-http-backend service unit
  copy: src=etc/systemd/system/git-http-backend.service
        dest=/etc/systemd/system/git-http-backend.service
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Stop git-http-backend

- name: Copy git-http-backend socket unit
  copy: src=etc/systemd/system/git-http-backend.socket
        dest=/etc/systemd/system/git-http-backend.socket
        owner=root group=root
        mode=0644
  notify:
    - systemctl daemon-reload
    - Restart git-http-backend

- name: Disable git-http-backend service
  service: name=git-http-backend.service enabled=false

- name: Start git-http-backend socket
  service: name=git-http-backend.socket state=started enabled=true

- meta: flush_handlers


- name: Copy /etc/nginx/sites-available/git
  copy: src=etc/nginx/sites-available/git
        dest=/etc/nginx/sites-available/git
        owner=root group=root
        mode=0644
  register: r1
  notify:
    - Restart Nginx

- name: Create /etc/nginx/sites-enabled/git
  file: src=../sites-available/git
        dest=/etc/nginx/sites-enabled/git
        owner=root group=root
        state=link force=yes
  register: r2
  notify:
    - Restart Nginx

- name: Copy HPKP header snippet
  # never modify the pined pubkeys as we don't want to lock out our users
  template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2
            dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr
            validate=/bin/false
            owner=root group=root
            mode=0644
  register: r3
  notify:
    - Restart Nginx

- name: Start Nginx
  service: name=nginx state=started
  when: not (r1.changed or r2.changed or r3.changed)

- meta: flush_handlers

- name: Fetch Nginx's X.509 certificate
  # Ensure we don't fetch private data
  become: False
  fetch_cmd: cmd="openssl x509 -noout -pubkey"
             stdin=/etc/nginx/ssl/git.fripost.org.pem
             dest=certs/public/git.fripost.org.pub
  tags:
    - genkey