---
- name: Deploy OAuth2-Proxy sidecar for SearXNG
  hosts: ubuntu
  become: true
  tasks:
    - name: Check if host has searxng service with OAuth2 configured
      ansible.builtin.set_fact:
        has_searxng_oauth2: >-
          {{ 'searxng' in services
             and (searxng_oauth2_client_id | default('')) | length > 0 }}

    - name: Skip hosts without SearXNG OAuth2-Proxy configuration
      ansible.builtin.meta: end_host
      when: not has_searxng_oauth2

    # ===========================================================================
    # OAuth2-Proxy Sidecar
    # Note: Each host supports at most one OAuth2-Proxy sidecar instance
    # (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
    # ===========================================================================
    - name: Create oauth2-proxy directory
      ansible.builtin.file:
        path: "{{ searxng_oauth2_proxy_dir }}"
        owner: root
        group: root
        state: directory
        mode: '0755'

    - name: Download oauth2-proxy binary
      ansible.builtin.get_url:
        url: "https://github.com/oauth2-proxy/oauth2-proxy/releases/download/v{{ searxng_oauth2_proxy_version }}/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64.tar.gz"
        dest: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.tar.gz"
        mode: '0644'

    - name: Extract oauth2-proxy binary
      ansible.builtin.unarchive:
        src: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.tar.gz"
        dest: /tmp
        remote_src: true
        creates: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64/oauth2-proxy"

    - name: Install oauth2-proxy binary
      ansible.builtin.copy:
        src: "/tmp/oauth2-proxy-v{{ searxng_oauth2_proxy_version }}.linux-amd64/oauth2-proxy"
        dest: /usr/local/bin/oauth2-proxy
        owner: root
        group: root
        mode: '0755'
        remote_src: true

    - name: Template oauth2-proxy configuration
      ansible.builtin.template:
        src: oauth2-proxy-searxng.cfg.j2
        dest: "{{ searxng_oauth2_proxy_dir }}/oauth2-proxy.cfg"
        owner: root
        group: root
        mode: '0600'
      notify: restart oauth2-proxy-searxng

    - name: Template oauth2-proxy systemd service
      ansible.builtin.template:
        src: oauth2-proxy-searxng.service.j2
        dest: /etc/systemd/system/oauth2-proxy-searxng.service
        owner: root
        group: root
        mode: '0644'
      notify:
        - reload systemd
        - restart oauth2-proxy-searxng

    - name: Enable and start OAuth2-Proxy service
      ansible.builtin.systemd:
        name: oauth2-proxy-searxng
        enabled: true
        state: started
        daemon_reload: true

  handlers:
    - name: reload systemd
      ansible.builtin.systemd:
        daemon_reload: true

    - name: restart oauth2-proxy-searxng
      ansible.builtin.systemd:
        name: oauth2-proxy-searxng
        state: restarted