---
- name: Include vault variables
  ansible.builtin.include_vars: vault.yml

- name: Include apache2 tasks
  ansible.builtin.include_tasks: apache2.yml

- name: Include mariadb tasks
  ansible.builtin.include_tasks: mariadb.yml

- name: Include unix tasks
  ansible.builtin.include_tasks: unix.yml

- name: Include binary tasks
  ansible.builtin.include_tasks: binary.yml

- name: Include backup tasks
  ansible.builtin.include_tasks: backup.yml

- name: Copy /etc/systemd/system/gitea.service
  become: true
  ansible.builtin.template:
    src: gitea.service.j2
    dest: /etc/systemd/system/gitea.service
    owner: root
    group: root
    mode: 0644
  notify:
    - Reload systemd daemon
    - Start gitea service

- name: Copy config file
  become: true
  ansible.builtin.template:
    src: app.ini.j2
    dest: "{{ gitea_conf_dir }}/app.ini"
    owner: git
    group: git
    mode: 0640
  notify:
    - Restart gitea service

- name: Make sure systemd daemon is reloaded
  ansible.builtin.meta: flush_handlers

- name: Make sure gitea is running
  become: true
  ansible.builtin.systemd:
    name: gitea
    state: started
    enabled: true

# fail2ban tasks need the gitea log file, which should be created when gitea runs
- name: Include fail2ban tasks
  ansible.builtin.include_tasks: fail2ban.yml

- name: Include repos tasks
  ansible.builtin.include_tasks: repos.yml

- name: Setup logrotate for gitea logs
  become: true
  ansible.builtin.template:
    src: gitea.logrotate.j2
    dest: /etc/logrotate.d/gitea
    owner: root
    group: root
    mode: 0644

- name: Generate SSH keys for git
  become: true
  become_user: git
  community.crypto.openssh_keypair:
    path: ~/.ssh/id_rsa
    type: rsa
    comment: "git@{{ ansible_fqdn }}"
  register: ssh_key

- name: Get previously added SSH keys
  ansible.builtin.uri:
    url: https://git.tunuifranken.info/api/v1/user/keys
    method: GET
    user: "{{ gitea_user }}"
    password: "{{ gitea_pass }}"
    force_basic_auth: true
  register: present_ssh_keys

- name: List SSH fingerprints
  ansible.builtin.set_fact:
    present_ssh_fingerprints: "{{ present_ssh_keys.json | map(attribute='fingerprint') }}"

- name: Add SSH key using Gitea's API
  ansible.builtin.uri:
    url: https://git.tunuifranken.info/api/v1/user/keys
    method: POST
    user: "{{ gitea_user }}"
    password: "{{ gitea_pass }}"
    force_basic_auth: true
    status_code: 201
    body_format: json
    body:
      key: "{{ ssh_key.public_key | trim }}"
      read_only: false
      title: "{{ ssh_key.comment | trim }}"
  when: ssh_key.fingerprint not in present_ssh_fingerprints