---
- name: Update Docker configuration
  hosts: nanna
  tasks:
    - name: Add users for running containers
      become: true
      ansible.builtin.user:
        name: "{{ item.name }}"
        uid: "{{ item.uid }}"
        state: "{{ item.state }}"
        create_home: false
        system: true
      loop:
        - name: postgres
          uid: 70
          state: present
        - name: hackmd
          uid: 1500
          state: present
        - name: gitea
          uid: 42001
          state: present
        - name: caddy
          uid: 42002
          state: present
    - name: Create Caddy network
      become: true
      community.docker.docker_network:
        name: caddy-network
        state: present
    - name: Upload docker configuration
      become: true
      ansible.builtin.copy:
        src: ../../docker/docker
        dest: /etc/pbri
        # Files should inaccessible to non-root users.
        mode: u=rw,g=,o=
        # Directories should be listable
        directory_mode: u=rwx,g=rx,o=rx
    - name: Create directory for docker volumes
      become: true
      ansible.builtin.file:
        path: /var/lib/pbri/docker
        state: directory
        # Hide contents from non-root users
        mode: u=rwx,g=,o=
    - name: Upload and decrypt docker environment vars
      become: true
      ansible.builtin.copy:
        src: "../../docker/envs/{{ item.name }}/.env"
        dest: /etc/pbri/docker/{{ item.name }}/.env
        # Files should inaccessible to non-root users.
        mode: u=rw,g=,o=
        # This is true by default but I put it here anyways
        # to emphasize what's happening
        decrypt: true
      loop:
        - name: gitea
          state: present
        - name: codi
          state: present
    # This needs to be done for any services where user:
    # is set in docker-compose.yaml.
    - name: Create volume directories with correct permissions
      become: true
      ansible.builtin.file:
        path: "/var/lib/pbri/docker/{{ item.name }}"
        owner: "{{ item.user }}"
        group: "{{ item.user }}"
        state: directory
        mode: u=rwx,g=,o=
      loop:
        - name: caddy_config
          user: caddy
        - name: caddy_data
          user: caddy
    # Since some docker-compose configuration might want to pull
    # images from the Gitea package repository, we need to ensure
    # that Gitea is reachable before those configurations are deployed.
    - name: Set up caddy and gitea containers
      become: true
      community.docker.docker_compose_v2:
        project_src: "/etc/pbri/docker/{{ item.name }}"
        state: "{{ item.state }}"
        build: "always"
        pull: "always"
      loop:
        - name: caddy
          state: present
        - name: gitea
          state: present
    # Before deploying the remaining configs below, we check that
    # Gitea is reachable at git.pbrinkmeier.de
    - name: Wait for gitea to be reachable
      check_mode: false
      ansible.builtin.uri:
        method: GET
        url: https://git.pbrinkmeier.de/api/v1/version
      register: gitea_version_response
      until: gitea_version_response.status == 200
      retries: 10
      delay: 3  # Retry every 3 seconds
    - name: Set up other containers
      become: true
      community.docker.docker_compose_v2:
        project_src: "/etc/pbri/docker/{{ item.name }}"
        state: "{{ item.state }}"
        build: "always"
        pull: "always"
      loop:
        - name: codi
          state: present