---
- name: Deploy HAProxy
  hosts: ubuntu
  tasks:
    - name: Check if host has haproxy service
      set_fact:
        has_haproxy_service: "{{'haproxy' in services}}"

    - name: Skip hosts without haproxy service
      meta: end_host
      when: not has_haproxy_service

    - name: Create haproxy group
      become: true
      ansible.builtin.group:
        name: "{{haproxy_group}}"
        gid: "{{haproxy_gid}}"
        system: true

    - name: Create haproxy user
      become: true
      ansible.builtin.user:
        name: "{{haproxy_user}}"
        comment: "{{haproxy_user}}"
        group: "{{haproxy_group}}"
        uid: "{{haproxy_uid}}"
        system: true

    - name: Add group haproxy to keeper_user
      become: true
      ansible.builtin.user:
        name: "{{keeper_user}}"
        groups: "{{haproxy_group}}"
        append: true

    - name: Create required directories
      become: true
      ansible.builtin.file:
        path: "{{haproxy_directory}}"
        owner: "{{haproxy_user}}"
        group: "{{haproxy_group}}"
        state: directory
        mode: '750'

    - name: Create /etc/haproxy directory
      become: true
      ansible.builtin.file:
        path: /etc/haproxy
        owner: root
        group: root
        state: directory
        mode: '755'

    - name: Create certs directory
      become: true
      ansible.builtin.file:
        path: /etc/haproxy/certs
        owner: "{{haproxy_user}}"
        group: "{{haproxy_group}}"
        state: directory
        mode: '750'

    - name: Check if certificate already exists
      become: true
      stat:
        path: "{{ haproxy_cert_path }}"
      register: cert_file

    - name: Generate self-signed wildcard certificate
      become: true
      command: >
        openssl req -x509 -nodes -days 365 -newkey rsa:2048
        -keyout {{ haproxy_cert_path }}
        -out {{ haproxy_cert_path }}
        -subj "/C=US/ST=State/L=City/O=Agathos/CN=*.{{ haproxy_domain }}"
        -addext "subjectAltName=DNS:*.{{ haproxy_domain }},DNS:{{ haproxy_domain }}"
      when: not cert_file.stat.exists and 'certbot' not in services

    - name: Set certificate permissions
      become: true
      ansible.builtin.file:
        path: "{{ haproxy_cert_path }}"
        owner: "{{haproxy_user}}"
        group: "{{haproxy_group}}"
        mode: '640'

    - name: Install HAProxy
      become: true
      ansible.builtin.apt:
        name: haproxy
        state: present
        update_cache: true

    - name: Template HAProxy configuration
      become: true
      ansible.builtin.template:
        src: "haproxy.cfg.j2"
        dest: /etc/haproxy/haproxy.cfg
        owner: "{{haproxy_user}}"
        group: "{{haproxy_group}}"
        mode: "640"
        validate: haproxy -c -f %s
      register: haproxy_config

    - name: Enable and start HAProxy service
      become: true
      ansible.builtin.systemd:
        name: haproxy
        enabled: true
        state: started

    - name: Reload HAProxy if configuration changed
      become: true
      ansible.builtin.systemd:
        name: haproxy
        state: reloaded
      when: haproxy_config.changed