---

- name: Install Apache packages
  apt:
    pkg:
      - apache2
      - socat
    state: present
  tags: packages

- name: Ensure the ssl-cert group exists
  group:
    name: ssl-cert
    system: yes
  tags: packages

- name: Ensure apache is a member of ssl-cert
  user:
    name: www-data
    groups: ssl-cert
    append: yes
  tags: packages

- name: Install Apache config
  template:
    dest: /etc/apache2/apache2.conf
    src: etc_apache2_apache2.conf.j2
    mode: 0644
    owner: root
    group: root
  notify: Reload Apache
  tags: configs

- name: Install Apache module configs
  template:
    dest: "/etc/apache2/mods-available/{{ item }}"
    src: "etc_apache2_mods-available_{{ item }}.j2"
    mode: 0644
    owner: root
    group: root
  with_items:
    - deflate.conf
    - http2.conf
    - ssl.conf
    - status.conf
  notify: Reload Apache
  tags:
    - configs
    - apache-configs

- name: Enable Apache modules
  apache2_module:
    name: "{{ item }}"
    state: present
    force: yes
  with_items:
    - deflate
    - env
    - expires
    - headers
    - http2
    - reqtimeout
    - rewrite
    - setenvif
    - ssl
    - status
    - unique_id
  notify: Restart Apache
  tags: configs

- name: Install Apache other configs
  template:
    dest: "/etc/apache2/conf-available/{{ item }}"
    src: "etc_apache2_conf-available_{{ item }}.j2"
  with_items:
    - logging.conf
    - security.conf
  notify: Reload Apache
  tags: [configs, logging]

- name: Enable Apache other configs
  command: "a2enconf {{ item }}"
  args:
    creates: "/etc/apache2/conf-enabled/{{ item }}"
  with_items:
    - logging.conf
    - security.conf
  notify: Reload Apache
  tags: configs

- name: Enable the SSL default vhost
  command: a2ensite default-ssl
  args:
    creates: /etc/apache2/sites-enabled/default-ssl.conf
  notify: Reload Apache
  tags: configs

- name: Install Apache logrotate snippet
  template:
    dest: /etc/logrotate.d/apache2
    src: etc_logrotate.d_apache2.j2
    mode: 0644
    owner: root
    group: root
  tags: [configs, logrotate]

- name: Install apache2.service override dir
  file:
    dest: /etc/systemd/system/apache2.service.d
    state: directory
    mode: 0755
    owner: root
    group: root
  tags: [configs, systemd]

- name: Install apache2.service override
  template:
    dest: /etc/systemd/system/apache2.service.d/local.conf
    src: etc_systemd_system_apache2.service.d_local.conf.j2
    mode: 0644
    owner: root
    group: root
  notify: Reload Apache systemd
  tags: [configs, systemd]

- name: Ensure Apache is running
  systemd:
    name: apache2
    state: started
    enabled: yes
  tags: configs

- include: mod_evasive.yml
  when: apache_mod_evasive
  tags: mod_evasive

- include: mod_security.yml
  when: apache_mod_security
  tags: mod_security

- name: Install the Apache firewall config
  template:
    dest: "/etc/firewall/{{ item }}"
    src: "etc_firewall_{{ item | replace('/', '_') }}.j2"
    mode: 0600
    owner: root
    group: root
  when: firewall_enabled and apache_firewall
  notify: Restart firewall
  with_items:
  - rules-v4.d/40_apache.sh
  - rules-v6.d/40_apache.sh
  tags:
  - configs
  - firewall

- name: Register the apache service in Consul
  template:
    dest: /etc/consul.d/service-apache.hcl
    src: etc_consul.d_service-apache.hcl.j2
  when: apache_consul_service
  notify: Reload consul
  tags: configs