---

- sefcontext:
    target: "{{ configs.mft_services.nginx.log_dir }}(/.*)?"
    setype: httpd_sys_rw_content_t
    state: present
  when: ansible_distribution == 'CentOS'

- name: Apply SELinux context changes
  command: restorecon -R -v "{{ configs.mft_services.nginx.log_dir }}"
  when: ansible_distribution == 'CentOS'

- name: Allow nginx to access cifs shares
  seboolean: name=httpd_use_cifs state=yes persistent=yes
  when: ansible_distribution == 'CentOS'

- name: Create nginx group for ubuntu
  group:
    name: "{{ configs.mft_services.nginx.user }}"
    state: present
  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'

- name: Create nginx user for ubuntu
  user:
    name: "{{ configs.mft_services.nginx.user }}"
    groups: "{{ configs.mft_services.nginx.group }}"
    state: present
    createhome: no
  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'

- name: Find nginx config
  find:
    paths: "{{ remote_deployment_dir }}"
    patterns: nginx_https.conf
    file_type: file
    recurse: yes
  register: found_nginx_config

- name: Copy nginx configuration
  command: cp {{ found_nginx_config.files[0].path }} {{ configs.mft_services.nginx.config }}
  notify:
    - Restart nginx with config check

- name: Open port 60011 in nginx config
  lineinfile:
    path: "{{ configs.mft_services.nginx.config }}"
    insertbefore: '[ \t]* access_log /var/log/nginx/access.log;'
    line: '                listen {{ configs.mft_services.access_manager.proxy_port }};'
  become: true

- name: Add Access Manager forwarding in nginx configuration
  blockinfile:
    path: "{{ configs.mft_services.nginx.config }}"
    insertafter:  '[ \t]* access_log /var/log/nginx/access.log;'
    block: |
      location /access-manager/oauth/token {
          proxy_pass http://127.0.0.1:9001/access-manager/oauth/token;
      }
      location /access-manager/v1/admin/clients {
          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/clients;
      }
      location /access-manager/v1/greeting {
          proxy_pass http://127.0.0.1:9001/access-manager/v1/greeting;
      }
      location /access-manager/v1/admin/roles {
          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/roles;
      }
      location /access-manager/v1/admin/users {
          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/users;
      }
      location /access-manager/v1/me {
          proxy_pass http://127.0.0.1:9001/access-manager/v1/me;
      }
      location /access-manager/v1/admin/user-role-membership {
          proxy_pass http://127.0.0.1:9001/access-manager/v1/admin/user-role-membership;
      }
  become: true

- name: Set nginx config ownership
  file:
    path: "{{ configs.mft_services.nginx.config }}"
    owner: "{{ configs.mft_services.nginx.user }}"
    group: "{{ configs.mft_services.nginx.group }}"
    mode: "0660"

# vim:ft=ansible