---

- name: gather mirror facts
  hosts: mirrors
  tasks: []

- name: "prepare postgres ssl hosts list"
  hosts: apollo.archlinux.org
  tasks:
      - set_fact: postgres_ssl_hosts="{{ [orion4] + [orion6] + detected_ips}}"
        vars:
            orion4: "{{ hostvars['orion.archlinux.org']['ipv4_address'] }}{{ hostvars['orion.archlinux.org']['ipv4_netmask'] }}"
            orion6: "{{ hostvars['orion.archlinux.org']['ipv6_address'] }}{{ hostvars['orion.archlinux.org']['ipv6_netmask'] }}"
            detected_ips: "{{ groups['mirrors'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | map('regex_replace', '^(.*)$', '\\1/32') | list}}"
        tags: ["postgres"]

- name: setup apollo
  hosts: apollo.archlinux.org
  remote_user: root
  roles:
    - { role: common, tags: ['common'] }
    - { role: tools, tags: ['tools'] }
    - { role: sshd, tags: ['sshd'] }
    - { role: root_ssh, tags: ['root_ssh'] }
    - { role: borg-client, tags: ["borg"] }
    - { role: nginx, tags: ["nginx"] }
    - { role: planet, planet_domain: "planet.archlinux.org", planet_dir: "/srv/http/planet", tags: ["planet"] }
    - { role: spampd, tags: ["mail", "spampd"] }
    - { role: unbound, tags: ["mail", "unbound"] }
    - { role: postfix, postfix_server: false, postfix_smtpd_public: true, postfix_patchwork_enabled: true, tags: ["mail", "postfix"] }
    - { role: opendkim, dkim_selector: apollo, tags: ['mail', "opendkim"] }
    - { role: postfwd, tags: ['mail', "postfwd"] }
    - { role: postgres, postgres_listen_addresses: "*", postgres_max_connections: 1000, postgres_ssl: 'on', postgres_shared_buffers: 4096MB,
              tags: ['postgres'] }
    - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0',
              mariadb_innodb_file_per_table: True, tags: ["mariadb"] }
    - { role: sudo, tags: ['sudo'] }
    - { role: uwsgi, tags: ['uwsgi'] }
    - { role: php-fpm, php_extensions: ['bcmath', 'curl', 'gd', 'iconv', 'intl', 'mysqli', 'pdo_pgsql', 'pgsql', 'sockets', 'zip'], zend_extensions: ['opcache'], tags: ["php-fpm"] }
    - { role: memcached, tags: ['memcached'] }
    - { role: archweb, tags: ["archweb"] }
    - { role: security_tracker, security_tracker_domain: "security.archlinux.org", security_tracker_dir: "/srv/http/security-tracker", tags: ["security_tracker"] }
    - { role: flyspray, tags: ["flyspray"] }
    - { role: mailman, mailman_domain: "lists.archlinux.org", tags: ["mailman"] }
    - { role: patchwork, tags: ["patchwork"] }
    - { role: kanboard, tags: ["kanboard"] }
    - { role: zabbix-server, tags: ["zabbix", "zabbix-server"] }
    - { role: grafana, tags: ["grafana"] }
    - { role: archwiki, tags: ["archwiki"] }
  tasks:
    - name: open firewall hole for hefurd
      firewalld: port=6969/tcp permanent=true state=enabled