---
# We need to do some additional configuration for GitLab to ensure that it
# works and operates immediately with FreeIPA.
- name: Insert Additional GitLab EE Settings
  blockinfile:
    path: /etc/gitlab/gitlab.rb
    block: |
      gitlab_rails['ldap_group_base'] = 'cn=groups,cn=accounts,dc=rockylinux,dc=org'
      gitlab_rails['ldap_admin_group'] = 'cn=gitadm,cn=groups,cn=accounts,dc=rockylinux,dc=org'
      nginx['enable'] = false
      nginx['external_users'] = ['nginx']
  notify: restart_gitlab

- name: Install nginx normally
  yum:
    name: nginx
    state: present

- name: Reconfigure Main nginx configuration
  template:
    src: "etc/nginx/nginx.conf.j2"
    dest: "/etc/nginx/nginx.conf"
    owner: root
    group: root
    mode: '0644'
    backup: true

- name: Add omnibus nginx configuration
  template:
    src: "etc/nginx/conf.d/omnibus.conf.j2"
    dest: "/etc/nginx/conf.d/omnibus.conf"
    owner: root
    group: root
    mode: '0644'
    backup: true

- name: Copy self-signed certificates from GitLab
  copy:
    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.crt"
    owner: root
    group: root
    mode: '0644'
  when: gitlab_create_self_signed_cert

- name: Copy self-signed certificate key
  copy:
    src: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
    dest: "/etc/nginx/ssl/{{ gitlab_domain }}.key"
    owner: root
    group: root
    mode: '0644'
  when: gitlab_create_self_signed_cert

- name: Turn on necessary SELinux booleans
  ansible.posix.seboolean:
    name: "{{ item }}"
    state: true
    persistent: true
  loop:
    - httpd_can_network_connect
    - httpd_can_network_relay
    - httpd_read_user_content

- name: Change fcontext to GitLab unix socket for nginx
  community.general.sefcontext:
    target: "/var/opt/gitlab/gitlab-workhorse/sockets/socket"
    setype: httpd_var_run_t
    state: present

- name: Apply fcontext to GitLab unix socket for nginx
  command: restorecon -v /var/opt/gitlab/gitlab-workhorse/sockets/socket
  register: restorecon_result
  changed_when: "restorecon_result == 0"

- name: Add firewall rules - http/s
  ansible.posix.firewalld:
    service: "{{ item }}"
    permanent: true
    state: enabled
    immediate: true
  loop:
    - http
    - https

- name: Enable and Start nginx
  service:
    name: nginx
    enabled: true
    state: started