---

- name: Deploy letsencrypt certificate
  ansible.builtin.include_role:
    name: add_cert
  vars:
    add_cert_domain: "{{ tunuifranken_domain }}"
    add_cert_email: "{{ tunuifranken_server_admin }}"
    add_cert_post_hook: systemctl restart apache2

- name: Install needed packages
  become: true
  ansible.builtin.apt:
    name:
      - git
      - acl  # for become_user: forgejo
    state: present

- name: Create tunuifranken group
  become: true
  ansible.builtin.group:
    name: tunuifranken
    system: true

- name: Create tunuifranken user
  become: true
  ansible.builtin.user:
    name: tunuifranken
    group: tunuifranken
    create_home: true
    home: /var/lib/tunuifranken
    shell: /bin/false
    system: true

- name: Create tunuifranken directory
  become: true
  ansible.builtin.file:
    path: "/var/www/{{ tunuifranken_domain }}"
    owner: tunuifranken
    group: tunuifranken
    state: directory
    mode: 0775

- name: Copy vHost conf
  become: true
  ansible.builtin.template:
    src: apache2/vhost.conf.j2
    dest: "/etc/apache2/sites-available/{{ tunuifranken_domain }}.conf"
    mode: 0644
  notify: Reload apache2 service

- name: Activate vHost
  become: true
  ansible.builtin.command: "a2ensite {{ tunuifranken_domain }}.conf"
  register: result
  changed_when: "'already enabled' not in result.stdout"
  notify: Reload apache2 service

- name: Create .ssh dir
  become: true
  become_user: tunuifranken
  ansible.builtin.file:
    path: ~/.ssh
    state: directory
    owner: tunuifranken
    group: tunuifranken
    mode: 0700

- name: Add SSH public key
  become: true
  become_user: tunuifranken
  ansible.builtin.copy:
    content: "{{ tunuifranken_ssh_keys.pub }}"
    dest: ~/.ssh/id_rsa.pub
    owner: tunuifranken
    group: tunuifranken
    mode: 0644

- name: Add SSH private key
  become: true
  become_user: tunuifranken
  ansible.builtin.copy:
    content: "{{ tunuifranken_ssh_keys.priv }}"
    dest: ~/.ssh/id_rsa
    owner: tunuifranken
    group: tunuifranken
    mode: 0600

- name: Clone tunuifranken.info repo
  become: true
  become_user: tunuifranken
  ansible.builtin.git:
    repo: git@tunuifranken.info:flyingscorpio/tunuifranken.info.git
    dest: "/var/www/{{ tunuifranken_domain }}"
    clone: true
    version: main
    update: false
    accept_newhostkey: true
  notify: Reload apache2 service

- name: Allow incoming https
  become: true
  ansible.builtin.copy:
    src: nftables/input.d/https.conf
    dest: /etc/nftables/input.d/https.conf
    mode: 0640
  notify: Reload nftables service