---
#
# Install/run graphite-web for browbeat
#

- name: Install graphite rpms
  yum:
    name: "{{ item }}"
    state: present
  become: true
  with_items:
    - graphite-web
    - python-carbon
    - expect

- name: Check for graphite.db sqlite
  shell: ls /var/lib/graphite-web/graphite.db
  ignore_errors: true
  register: graphite_db_installed

- name: Copy setup-graphite-db.exp
  copy:
    src: setup-graphite-db.exp
    dest: /root/setup-graphite-db.exp
    owner: root
    group: root
    mode: 0755
  become: true

- name: Create initial graphite db
  shell: /root/setup-graphite-db.exp {{ graphite_username }} {{ graphite_password }} && chown apache:apache /var/lib/graphite-web/graphite.db
  become: true
  when: graphite_db_installed.rc != 0
  notify:
    - restart apache

- name: Setup httpd graphite-web config
  template:
    src: graphite-web.conf.j2
    dest: /etc/httpd/conf.d/graphite-web.conf
    owner: root
    group: root
    mode: 0644
  become: true
  notify:
    - restart apache

### begin firewall ###
# we need TCP/80 open
# determine firewall status and take action
# 1) use firewall-cmd if firewalld is utilized
# 2) insert iptables rule if iptables is used

# Firewalld
- name: (graphite-web) Determine if firewalld is in use
  shell: systemctl is-enabled firewalld.service | egrep -qv 'masked|disabled'
  ignore_errors: true
  register: firewalld_in_use
  no_log: true

- name: (graphite-web) Determine if firewalld is active
  shell: systemctl is-active firewalld.service | grep -vq inactive
  ignore_errors: true
  register: firewalld_is_active
  no_log: true

- name: (graphite-web) Determine if TCP/{{graphite_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{graphite_port}}/tcp"
  ignore_errors: true
  register: firewalld_graphite_port_exists
  no_log: true

- name: (carbon) Determine if TCP/{{carbon_cache_port}} is already active
  shell: firewall-cmd --list-ports | egrep -q "^{{carbon_cache_port}}/tcp"
  ignore_errors: true
  register: firewalld_carbon_cache_port_exists
  no_log: true

# add firewall rule via firewall-cmd
- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (firewalld)
  command: "{{ item }}"
  with_items:
    - firewall-cmd --zone=public --add-port={{graphite_port}}/tcp --permanent
    - firewall-cmd --reload
  ignore_errors: true
  become: true
  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_graphite_port_exists.rc != 0

# add firewall rule via firewall-cmd
- name: (carbon) Add firewall rule for TCP/{{carbon_cache_port}} (firewalld)
  command: "{{ item }}"
  with_items:
    - firewall-cmd --zone=public --add-port={{carbon_cache_port}}/tcp --permanent
    - firewall-cmd --reload
  ignore_errors: true
  become: true
  when: firewalld_in_use.rc == 0 and firewalld_is_active.rc == 0 and firewalld_carbon_cache_port_exists.rc != 0

# iptables-services
- name: (graphite-web) check firewall rules for TCP/{{graphite_port}} (iptables-services)
  shell: grep "dport {{graphite_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
  register: iptables_graphite_port_exists
  failed_when: iptables_graphite_port_exists == 127
  no_log: true

- name: (carbon) check firewall rules for TCP/{{carbon_cache_port}} (iptables-services)
  shell: grep "dport {{carbon_cache_port}} \-j ACCEPT" /etc/sysconfig/iptables | wc -l
  ignore_errors: true
  register: iptables_carbon_cache_port_exists
  failed_when: iptables_carbon_cache_port_exists == 127
  no_log: true

- name: (graphite-web) Add firewall rule for TCP/{{graphite_port}} (iptables-services)
  lineinfile:
    dest: /etc/sysconfig/iptables
    line: '-A INPUT -p tcp -m tcp --dport {{graphite_port}} -j ACCEPT'
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_graphite_port_exists.stdout|int == 0
  register: iptables_needs_restart

- name: (carbon) Add firewall rule for TCP/{{carbon_cache_port}} (iptables-services)
  lineinfile:
    dest: /etc/sysconfig/iptables
    line: '-A INPUT -p tcp -m tcp --dport {{carbon_cache_port}} -j ACCEPT'
    regexp: '^INPUT -i lo -j ACCEPT'
    insertbefore: '-A INPUT -i lo -j ACCEPT'
    backup: yes
  when: firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0 and iptables_carbon_cache_port_exists.stdout|int == 0
  register: iptables_needs_restart

- name: (graphite-web) Restart iptables-services for TCP/{{graphite_port}} (iptables-services)
  shell: systemctl restart iptables.service
  ignore_errors: true
  when: iptables_needs_restart != 0 and firewalld_in_use.rc != 0 and firewalld_is_active.rc != 0

### end firewall ###

- name: Setup httpd service
  service:
    name: httpd
    state: started
    enabled: true
  become: true

- name: Remove httpd welcome config
  become: true
  file:
    path: /etc/httpd/conf.d/welcome.conf
    state: absent
  notify:
    - restart apache

- name: Setup carbon-cache service
  service:
    name: carbon-cache
    state: started
    enabled: true
  become: true

- name: Copy Carbon storage scheme and aggregation config files
  copy:
    src: "{{item.src}}"
    dest: "{{item.dest}}"
    owner: root
    group: root
    mode: 0644
  become: true
  with_items:
    - src: storage-schemas.conf
      dest: /etc/carbon/storage-schemas.conf
    - src: storage-aggregation.conf
      dest: /etc/carbon/storage-aggregation.conf
  notify:
    - restart carbon-cache

- name: Configure carbon.conf
  template:
    src: carbon.conf.j2
    dest: /etc/carbon/carbon.conf
    owner: root
    group: root
    mode: 0644
  become: true
  notify:
    - restart carbon-cache