---
# more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon

- name: Install znc
  apt:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
    - znc
    - expect
  tags:
    - dependencies

- name: Create znc group
  group: name=znc state=present

- name: Create znc user
  user: name=znc state=present home=/usr/lib/znc system=yes group=znc shell=/usr/sbin/nologin

- name: Ensure pid directory exists
  file: state=directory path=/var/run/znc group=znc owner=znc

- name: Ensure configuration folders exist
  file: state=directory path=/usr/lib/znc/{{ item }} group=znc owner=znc
  with_items:
    - moddata
    - modules
    - users
    - configs

- name: Copy znc service file into place
  copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644

- name: Create a combined version of the SSL private key and full certificate chain
  shell: cat /etc/letsencrypt/live/{{ domain }}/privkey.pem
    /etc/letsencrypt/live/{{ domain }}/fullchain.pem >
    /usr/lib/znc/znc.pem
    creates=/usr/lib/znc/znc.pem
  notify: restart znc

- name: Update post-certificate-renewal task
  template:
    src: etc_letsencrypt_postrenew_znc.sh.j2
    dest: /etc/letsencrypt/postrenew/znc.sh
    owner: root
    group: root
    mode: 0755

- name: Ensure znc user and group can read cert
  file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=0640
  notify: restart znc

- name: Check for existing config file
  command: cat /usr/lib/znc/configs/znc.conf
  register: znc_config
  ignore_errors: True
  changed_when: False  # never report as "changed"

- name: Copy znc configuration file into place
  template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
  when: znc_config.rc != 0
  notify: restart znc

- name: Copy expect script for znc password generation
  template: src=root_znc_pw.j2 dest=/root/znc_pw mode=0777
  when: znc_config.rc != 0

- name: Run script to generate znc hash and salt
  shell: /root/znc_pw | head --lines=-1 | tail --lines=+7
  register: znc_config_pass
  when: znc_config.rc != 0

- name: Put generated hash and salt into configuration file
  blockinfile:
    block: "{{ znc_config_pass.stdout }}"
    path: /usr/lib/znc/configs/znc.conf
    marker: "// {mark} ANSIBLE MANAGED BLOCK"
  when: znc_config.rc != 0

- name: Remove expect script
  file: path=/root/znc_pw state=absent

- name: Set firewall rule for znc
  ufw: rule=allow port=6697 proto=tcp
  tags: ufw

- name: Ensure znc is a system service
  service: name=znc state=restarted enabled=true