---
- name: "set the user variables"
  ansible.builtin.import_role:
    name: "services/include"
    vars_from: "user"

- name: "set the version variables"
  ansible.builtin.import_role:
    name: "services/deploy/include"
    vars_from: "versions"

- name: "set the rproxy variables"
  ansible.builtin.include_vars:
    file: "nginx.yml"

- block:

    - name: "create nginx conf.d"
      ansible.builtin.file:
        path: "\
          {{ services_service_user_home }}/.config/{{ services_service_user_name }}/nginx-conf.d"
        state: "directory"
        mode: 0755

    - name: "configure reverse proxy nginx"
      ansible.builtin.copy:
        src: "./config/{{ item }}"
        dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
        mode: 0644
      loop: "{{ services_rproxy_nginx_conf_d_files }}"
      register: services_deploy_lrproxy_config_files

    - name: "configure systemd service"
      ansible.builtin.template:
        src: "./systemd/{{ item }}.j2"
        dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
        mode: 0600
      loop:
        - "pod-lrproxy.service"
        - "container-lrproxy-nginx.service"
      register: services_deploy_lrproxy_systemd_files

    - name: "systemd user daemon reload"
      ansible.builtin.systemd:
        daemon_reload: true
        scope: "user"
      when:
        services_deploy_lrproxy_systemd_files.changed

    - name: "generate diffie hellman ephemeral parameters"
      ansible.builtin.command: >-
        openssl dhparam
        --out /{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem
        4096
      args:
        creates: "\
          {{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
      register: services_deploy_lrproxy_dhparam

    - block:

        - name: "configure rsync-certificates service"
          ansible.builtin.template:
            src: "./systemd/{{ item }}.j2"
            dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
            mode: 0600
          loop:
            - "rsync-certificates.service"
            - "rsync-certificates.timer"
          register: services_deploy_lrproxy_rsync_certificates_files

        - name: "systemd user daemon reload"
          ansible.builtin.systemd:
            daemon_reload: true
            scope: "user"
          when:
            services_deploy_lrproxy_rsync_certificates_files.changed

        - name: "enable rsync-certificates timer"
          ansible.builtin.systemd:
            name: "rsync-certificates.timer"
            enabled: true
            scope: "user"
          register: services_deploy_lrproxy_rsync_certificates_timer

        - name: "create the .ssh directory"
          ansible.builtin.file:
            path: "{{ services_service_user_home }}/.ssh"
            state: "directory"
            mode: 0700

        - name: "generate ssh keypair for rsync"
          community.crypto.openssh_keypair:
            path: "\
              {{ services_service_user_home }}/.ssh/\
              {{ services_host_services.lrproxy.rproxy_host }}-\
              {{ services_host_services.lrproxy.rproxy_user }}"
            type: "ed25519"
          register: services_deploy_lrproxy_keypair

        - name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
          ignore_unreachable: "{{ services_deploy_lrproxy_ignore_unreachable_rproxy }}"
          delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
          become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
          ansible.posix.authorized_key:
            user: "{{ services_host_services.lrproxy.rproxy_user }}"
            state: "present"
            key: "{{ services_deploy_lrproxy_keypair.public_key }}"
            key_options: "\
              command=\"rsync --server --sender -avz . \
              {{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
              {{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
              \",from=\"{{ vpn_wireguard_address }}\",\
              no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"

      when:
        services_host_services.lrproxy.rproxy_host is defined

    - name: "get uid"
      ansible.builtin.getent:
        database: "passwd"
        key: "{{ services_service_user_name }}"

    - name: "get service status"
      ansible.builtin.command: >-
        systemctl --user show --property ActiveState --value
        {{ services_service_user_name }}.service
      environment:
        XDG_RUNTIME_DIR: "/run/user/{{ getent_passwd[services_service_user_name].1 }}"
      changed_when: false
      register: services_deploy_lrproxy_service_active_state

    - name: "restart the service"
      ansible.builtin.systemd:
        name: "pod-{{ services_service_name }}.service"
        state: "restarted"
        scope: "user"
      when:
        (services_deploy_lrproxy_config_files.changed or
        services_deploy_lrproxy_systemd_files.changed or
        services_deploy_lrproxy_rsync_certificates_files.changed or
        services_deploy_lrproxy_rsync_certificates_timer.changed or
        services_deploy_lrproxy_dhparam.changed or
        services_deploy_lrproxy_keypair.changed) and
        services_deploy_lrproxy_service_active_state.stdout == "active"

  become_user: "{{ services_service_user_name }}"