---
# -----------------------------------------------------------------------------
# Casdoor Deployment Playbook
# -----------------------------------------------------------------------------
# Deploys Casdoor SSO Docker container
# Host: titania.incus (Incus container)
# Endpoint: id.ouranos.helu.ca via HAProxy on Titania
#
# Prerequisites:
# - postgresql_ssl must be deployed first (provides the database)
# - Docker must be installed
# - Alloy must be configured for syslog
#
# Secrets are fetched from Ansible Vault via group_vars/all/vault.yml
# -----------------------------------------------------------------------------

- name: Deploy Casdoor
  hosts: ubuntu
  tasks:
    - name: Check if host has casdoor service
      ansible.builtin.set_fact:
        has_casdoor_service: "{{ 'casdoor' in services | default([]) }}"

    - name: Skip hosts without casdoor service
      ansible.builtin.meta: end_host
      when: not has_casdoor_service

    # -------------------------------------------------------------------------
    # Create User and Group (system-assigned UID/GID)
    # -------------------------------------------------------------------------

    - name: Create casdoor group
      become: true
      ansible.builtin.group:
        name: "{{ casdoor_group }}"
        system: true

    - name: Create casdoor user
      become: true
      ansible.builtin.user:
        name: "{{ casdoor_user }}"
        comment: "Casdoor service account"
        group: "{{ casdoor_group }}"
        system: true
        create_home: false
        shell: /usr/sbin/nologin

    - name: Add keeper_user to casdoor group
      become: true
      ansible.builtin.user:
        name: "{{ keeper_user }}"
        groups: "{{ casdoor_group }}"
        append: true

    # -------------------------------------------------------------------------
    # Query uid/gid for Docker container user
    # -------------------------------------------------------------------------

    - name: Get casdoor user uid
      ansible.builtin.shell: |
        getent passwd {{ casdoor_user }} | cut -d: -f3
      register: casdoor_uid_result
      changed_when: false

    - name: Get casdoor group gid
      ansible.builtin.shell: |
        getent group {{ casdoor_group }} | cut -d: -f3
      register: casdoor_gid_result
      changed_when: false

    - name: Set uid/gid facts
      ansible.builtin.set_fact:
        casdoor_uid: "{{ casdoor_uid_result.stdout }}"
        casdoor_gid: "{{ casdoor_gid_result.stdout }}"

    # -------------------------------------------------------------------------
    # Create Directories
    # -------------------------------------------------------------------------

    - name: Create casdoor base directory
      become: true
      ansible.builtin.file:
        path: "{{ casdoor_directory }}"
        owner: "{{ casdoor_user }}"
        group: "{{ casdoor_group }}"
        state: directory
        mode: '0750'

    - name: Create casdoor conf directory
      become: true
      ansible.builtin.file:
        path: "{{ casdoor_directory }}/conf"
        owner: "{{ casdoor_user }}"
        group: "{{ casdoor_group }}"
        state: directory
        mode: '0750'

    # -------------------------------------------------------------------------
    # Template Configuration Files
    # -------------------------------------------------------------------------

    - name: Template docker-compose.yml
      become: true
      ansible.builtin.template:
        src: docker-compose.yml.j2
        dest: "{{ casdoor_directory }}/docker-compose.yml"
        owner: "{{ casdoor_user }}"
        group: "{{ casdoor_group }}"
        mode: '0640'
      notify: restart casdoor

    - name: Template app.conf
      become: true
      ansible.builtin.template:
        src: app.conf.j2
        dest: "{{ casdoor_directory }}/conf/app.conf"
        owner: "{{ casdoor_user }}"
        group: "{{ casdoor_group }}"
        mode: '0640'
      notify: restart casdoor

    - name: Template init_data.json
      become: true
      ansible.builtin.template:
        src: init_data.json.j2
        dest: "{{ casdoor_directory }}/conf/init_data.json"
        owner: "{{ casdoor_user }}"
        group: "{{ casdoor_group }}"
        mode: '0640'
      notify: restart casdoor

    # -------------------------------------------------------------------------
    # Reset SSH Connection (apply group changes)
    # -------------------------------------------------------------------------

    - name: Reset SSH connection to apply group changes
      ansible.builtin.meta: reset_connection

    # -------------------------------------------------------------------------
    # Start Services
    # -------------------------------------------------------------------------

    - name: Start Casdoor service
      become: true
      community.docker.docker_compose_v2:
        project_src: "{{ casdoor_directory }}"
        state: present
        pull: always

  handlers:
    - name: restart casdoor
      become: true
      community.docker.docker_compose_v2:
        project_src: "{{ casdoor_directory }}"
        state: restarted