---
- name: Frontend setup
  hosts: frontend-cockpit

  vars:
    username: matt

    certbot_install_method: package
    certbot_create_method: standalone
    # certbot_install_method: source
    # certbot_repo: https://github.com/certbot/certbot.git
    # certbot_version: master
    certbot_keep_updated: true
    # certbot_dir: /opt/certbot
    certbot_create_extra_args: "--http-01-port 8080"
    certbot_auto_renew_user: "root"
    certbot_auto_renew_hour: "3"
    certbot_auto_renew_minute: "30"
    certbot_create_if_missing: true
    certbot_admin_email: matthew@thespencers.me.uk
    certbot_certs:
      - domains:
          - "apptabulous.co.uk"
          - "www.apptabulous.co.uk"
          - "hub.apptabulous.co.uk"
          - "watchtower.apptabulous.co.uk"
        webroot: "/var/www/html"
      - domains:
          - "m5p3nc3r.co.uk"
          - "www.m5p3nc3r.co.uk"
          - "gitea.m5p3nc3r.co.uk"
        webroot: "/var/www/html"


    cockpit_plugins:
      - cockpit-podman
    cockpit_core_packages:
      - cockpit
      - cockpit-bridge
      - cockpit-ws
      - cockpit-ws-selinux
      - cockpit-system

  roles:
    - role: geerlingguy.git
      become: true
    - role: geerlingguy.certbot
      become: true
  
  pre_tasks:
    - name: Install python3-libdnf5 for DNF5 support on Fedora 41+
      become: true
      ansible.builtin.raw: dnf install -y python3-libdnf5
      when: ansible_facts['os_family'] == 'RedHat'
      changed_when: false

  tasks:
    - name: Reload systemd daemon
      become: true
      ansible.builtin.systemd:
        daemon_reload: true

    - name: Install Cockpit
      include_role:
        name: linux-system-roles.cockpit
        apply:
          become: true
      vars:
        # Prometheus is currently running on port 9090
        cockpit_port: 9091
        cockpit_packages: default

    - name: Gather package facts
      ansible.builtin.package_facts:
        manager: auto

    - name: Remove unwanted Cockpit plugins
      become: true
      ansible.builtin.package:
        name: "{{ ansible_facts.packages | dict2items
                 | selectattr('key', 'match', '^cockpit-')
                 | map(attribute='key')
                 | reject('in', cockpit_plugins + cockpit_core_packages)
                 | list }}"
        state: absent
      when: >
        ansible_facts.packages | dict2items
          | selectattr('key', 'match', '^cockpit-')
          | map(attribute='key')
          | reject('in', cockpit_plugins + cockpit_core_packages)
          | list | length > 0

    - name: Install Podman
      become: true
      ansible.builtin.package:
        name: podman
        state: present

    - name: Install Cockpit plugins
      become: true
      ansible.builtin.package:
        name: "{{ cockpit_plugins }}"
        state: present


    - name: Grant {{ username }} read access to letsencrypt certificates
      become: true
      ansible.posix.acl:
        path: /etc/letsencrypt
        entity: "{{ username }}"
        etype: user
        permissions: rX
        recursive: true
        state: present

    - name: Override default certbot start/stop jobs
      become: true
      ansible.builtin.copy:
        src: letsencrypt
        dest: /etc

    - name: Copy reverse proxy configuration to host
      become: true
      ansible.builtin.copy:
        src: apptabulous/reverseproxy
        dest: /etc

    - name: Create shared container network
      containers.podman.podman_network:
        name: webservices
        state: present

    - name: Start reverse proxy container
      containers.podman.podman_container:
        name: reverse_proxy
        image: docker.io/library/nginx:alpine
        restart_policy: always
        network: webservices
        volumes:
          - /etc/reverseproxy/nginx.conf:/etc/nginx/nginx.conf
          - /etc/reverseproxy/conf.d:/etc/nginx/conf.d
          - /etc/reverseproxy/stream.d:/etc/nginx/stream.d
          - /etc/letsencrypt:/etc/letsencrypt
        ports:
          - "8080:80"
          - "8443:443"
        state: started

  #   - name: Start docker registry
  #     community.docker.docker_container:
  #       name: registry
  #       image: registry:2
  #       restart_policy: always
  #       ports:
  #         - "5000:5000"
  #       state: started

    - name: Log into ghcr.io registry
      # become: true
      containers.podman.podman_login:
        registry: ghcr.io
        username: "{{ secrets.GITHUB_ACTOR }}"
        password: "{{ secrets.GITHUB_TOKEN }}"

    - name: Open firewall ports for web services
      become: true
      ansible.posix.firewalld:
        port: "{{ item }}/tcp"
        permanent: true
        state: enabled
        immediate: true
      loop:
        - 8080
        - 8443
        - 2222

    - name: Start m5p3nc3r website
      containers.podman.podman_container:
        name: website
        image: ghcr.io/m5p3nc3r/website:main
        restart_policy: always
        network: webservices
        label:
          io.containers.autoupdate: registry
        volumes:
          - /home/matt/public/apps:/app/public/apps:Z
        env:
          NEXT_SERVER_ACTIONS_ENCRYPTION_KEY: "{{ secrets.NEXT_SERVER_ACTIONS_ENCRYPTION_KEY }}"
        state: started

    - name: Start Apptabulous website
      containers.podman.podman_container:
        name: apptabulous_website
        image: ghcr.io/m5p3nc3r/apptabulous_website:main
        restart_policy: always
        network: webservices
        label:
          io.containers.autoupdate: registry
        state: started

    - name: Enable podman auto-update timer
      become: true
      ansible.builtin.systemd:
        name: podman-auto-update.timer
        enabled: true
        state: started