- name: Enable index.html creation if user doesn't wish to customise base domain
  delegate_to: 127.0.0.1
  lineinfile:
    path: '{{ awx_cached_matrix_vars }}'
    regexp: "^#? *{{ item.key | regex_escape() }}:"
    line: "{{ item.key }}: {{ item.value }}"
    insertafter: '# Base Domain Settings Start'
  with_dict:
    'matrix_nginx_proxy_base_domain_homepage_enabled': 'true'
  when: customise_base_domain_website|bool == false

- name: Disable index.html creation to allow multi-file site if user does wish to customise base domain
  delegate_to: 127.0.0.1
  lineinfile:
    path: '{{ awx_cached_matrix_vars }}'
    regexp: "^#? *{{ item.key | regex_escape() }}:"
    line: "{{ item.key }}: {{ item.value }}"
    insertafter: '# Base Domain Settings Start'
  with_dict:
    'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
  when: customise_base_domain_website|bool == true

- name: Record custom 'Customise Website + Access Export' variables locally on AWX
  delegate_to: 127.0.0.1
  lineinfile:
    path: '{{ awx_cached_matrix_vars }}'
    regexp: "^#? *{{ item.key | regex_escape() }}:"
    line: "{{ item.key }}: {{ item.value }}"
    insertafter: '# Custom Settings Start'
  with_dict:
    'customise_base_domain_website': '{{ customise_base_domain_website }}'
    'sftp_auth_method': '"{{ sftp_auth_method }}"'
    'sftp_password': '"{{ sftp_password }}"'
    'sftp_public_key': '"{{ sftp_public_key }}"'

- name: Reload vars in matrix_vars.yml
  include_vars:
    file: '{{ awx_cached_matrix_vars }}'
  no_log: True

# ^ Is this even needed?

- name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
  delegate_to: 127.0.0.1
  template:
    src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'

- name: Copy new 'Customise Website + Access Export' survey.json to target machine
  copy:
    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
    dest:  '/matrix/awx/configure_website_access_export.json'
    mode: '0660'

- name: Collect AWX admin token the hard way!
  delegate_to: 127.0.0.1
  shell: |
      curl -sku {{ tower_username }}:{{ tower_password }} -H "Content-Type: application/json" -X POST -d '{"description":"Tower CLI", "application":null, "scope":"write"}' https://{{ tower_host }}/api/v2/users/1/personal_tokens/ | jq '.token' | sed -r 's/\"//g'
  register: tower_token
  no_log: True

- name: Recreate 'Customise Base Domain Export' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
    name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
    description: "Configure base domain website settings and access the servers export."
    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
    job_type: run
    job_tags: "start,setup-nginx-proxy"
    inventory: "{{ member_id }}"
    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
    playbook: setup.yml
    credential: "{{ member_id }} - AWX SSH Key"
    survey_enabled: true
    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
    become_enabled: yes
    state: present
    verbosity: 1
    tower_host: "https://{{ tower_host }}"
    tower_oauthtoken: "{{ tower_token.stdout }}"
    validate_certs: yes

- name: Ensure group "sftp" exists
  group:
    name: sftp
    state: present

- name: If user doesn't define a sftp_password, create a disabled 'sftp' account
  user:
    name: sftp
    comment: SFTP user to set custom web files and access servers export
    shell: /bin/false
    home: /home/sftp
    group: sftp
    password: '*'
    update_password: always
  when: sftp_password|length == 0

- name: If user defines sftp_password, enable account and set password on 'stfp' account
  user:
    name: sftp
    comment: SFTP user to set custom web files and access servers export
    shell: /bin/false
    home: /home/sftp
    group: sftp
    password: "{{ sftp_password | password_hash('sha512') }}"
    update_password: always
  when: sftp_password|length > 0

- name: adding existing user 'sftp' to group matrix
  user:
    name: sftp
    groups: matrix
    append: yes

- name: Create the ro /chroot directory with sticky bit if it doesn't exist. (/chroot/website has matrix:matrix permissions and is mounted to nginx container)
  file:
    path: /chroot
    state: directory
    owner: root
    group: root
    mode: '1755'

- name: Ensure /chroot/website location exists.
  file:
    path: /chroot/website
    state: directory
    owner: matrix
    group: matrix
    mode: '0574'

- name: Ensure /chroot/export location exists
  file:
    path: /chroot/export
    state: directory
    owner: sftp
    group: sftp
    mode: '0700'

- name: Ensure /home/sftp/.ssh location exists
  file:
    path: /home/sftp/.ssh
    state: directory
    owner: sftp
    group: sftp
    mode: '0700'

- name: Ensure /home/sftp/authorized_keys exists
  file:
    path: /home/sftp/.ssh/authorized_keys
    state: touch
    owner: sftp
    group: sftp
    mode: '0644'

- name: Clear authorized_keys file
  shell: echo "" > /home/sftp/.ssh/authorized_keys

- name: Insert public SSH key into authorized_keys file
  lineinfile:
    path: /home/sftp/.ssh/authorized_keys
    line: "{{ sftp_public_key }}"
    owner: sftp
    group: sftp
    mode: '0644'
  when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")

- name: Alter SSH Subsystem State 1
  lineinfile:
    path: /etc/ssh/sshd_config
    line: "Subsystem sftp	/usr/lib/openssh/sftp-server"
    state: absent

- name: Alter SSH Subsystem State 2
  lineinfile:
    path: /etc/ssh/sshd_config
    insertafter: "^# override default of no subsystems"
    line: "Subsystem sftp internal-sftp"

- name: Add SSH Match User section for disabled auth
  blockinfile:
    path: /etc/ssh/sshd_config
    state: absent
    block: |
      Match User sftp
          ChrootDirectory /chroot
          PermitTunnel no
          X11Forwarding no
          AllowTcpForwarding no
          PasswordAuthentication yes
          AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
  when: sftp_auth_method == "Disabled"

- name: Add SSH Match User section for password auth
  blockinfile:
    path: /etc/ssh/sshd_config
    state: present
    block: |
      Match User sftp
          ChrootDirectory /chroot
          PermitTunnel no
          X11Forwarding no
          AllowTcpForwarding no
          PasswordAuthentication yes
  when: sftp_auth_method == "Password"

- name: Add SSH Match User section for publickey auth
  blockinfile:
    path: /etc/ssh/sshd_config
    state: present
    block: |
      Match User sftp
          ChrootDirectory /chroot
          PermitTunnel no
          X11Forwarding no
          AllowTcpForwarding no
          AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
  when: sftp_auth_method == "SSH Key"

- name: Restart service ssh.service
  service:
    name: ssh.service
    state: restarted