---
# Full Ansible playbook to provision UploadShield directories, permissions, tmpfiles and logrotate.
# Usage: ansible-playbook -i inventory scripts/ansible/provision-full.yml

- hosts: web
  become: true
  vars:
    uploadshield_root: "{{ playbook_dir | default('.') | dirname | realpath }}"
    logs_dir: "{{ uploadshield_root }}/logs"
    quarantine_dir: "{{ uploadshield_root }}/quarantine"
    state_dir: "{{ uploadshield_root }}/state"
    examples_dir: "{{ uploadshield_root }}/examples"
    quarantine_owner: "root"
    quarantine_group: "www-data"
    quarantine_perms: "0700"
    state_perms: "0750"
    logs_perms: "0750"
    log_file_mode: "0640"
    selinux_fcontext: "httpd_sys_rw_content_t"
    tmpfiles_conf: "/etc/tmpfiles.d/uploadshield.conf"
    logrotate_dest: "/etc/logrotate.d/uploadshield"

  tasks:
    - name: Ensure logs directory exists
      file:
        path: "{{ logs_dir }}"
        state: directory
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "{{ logs_perms }}"

    - name: Ensure quarantine directory exists
      file:
        path: "{{ quarantine_dir }}"
        state: directory
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "{{ quarantine_perms }}"

    - name: Ensure state directory exists
      file:
        path: "{{ state_dir }}"
        state: directory
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "{{ state_perms }}"

    - name: Ensure example uploadshield.json is copied (only when missing)
      copy:
        src: "{{ examples_dir }}/uploadshield.json"
        dest: "{{ uploadshield_root }}/uploadshield.json"
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "0644"
      when: not (uploadshield_root + '/uploadshield.json') | path_exists

    - name: Install tmpfiles.d entry to recreate dirs at boot
      copy:
        dest: "{{ tmpfiles_conf }}"
        content: |
          d {{ quarantine_dir }} {{ quarantine_perms }} {{ quarantine_owner }} {{ quarantine_group }} -
          d {{ state_dir }} {{ state_perms }} {{ quarantine_owner }} {{ quarantine_group }} -
        owner: root
        group: root
        mode: '0644'

    - name: Install logrotate snippet if example exists
      copy:
        src: "{{ examples_dir }}/logrotate.d/uploadshield"
        dest: "{{ logrotate_dest }}"
        owner: root
        group: root
        mode: '0644'
      when: (examples_dir + '/logrotate.d/uploadshield') | path_exists

    - name: Set SELinux fcontext for directories when selinux enabled
      when: ansible_selinux.status == 'enabled'
      sefcontext:
        target: "{{ item }}(/.*)?"
        setype: "{{ selinux_fcontext }}"
      loop:
        - "{{ quarantine_dir }}"
        - "{{ state_dir }}"
        - "{{ logs_dir }}"

    - name: Apply SELinux contexts
      when: ansible_selinux.status == 'enabled'
      command: restorecon -Rv {{ quarantine_dir }} {{ state_dir }} {{ logs_dir }}

    - name: Ensure log file exists with correct mode (touch)
      file:
        path: "{{ logs_dir }}/uploads.log"
        state: touch
        owner: "{{ quarantine_owner }}"
        group: "{{ quarantine_group }}"
        mode: "{{ log_file_mode }}"

    - name: Summary - show directories
      debug:
        msg: |
          Provisioned:
            - logs: {{ logs_dir }} (owner={{ quarantine_owner }} group={{ quarantine_group }} mode={{ logs_perms }})
            - quarantine: {{ quarantine_dir }} (owner={{ quarantine_owner }} group={{ quarantine_group }} mode={{ quarantine_perms }})
            - state: {{ state_dir }} (owner={{ quarantine_owner }} group={{ quarantine_group }} mode={{ state_perms }})