---
- name: Install dependencies
  apt:
    name: [nginx, docker.io, docker-compose-v2]
    state: present
    update_cache: true

- name: Enable and start Docker
  systemd:
    name: docker
    enabled: true
    state: started

- name: Create gitea data directory
  file:
    path: "{{ gitea_data_dir }}"
    state: directory
    owner: root
    group: root
    mode: "0700"

- name: Deploy docker-compose file
  template:
    src: docker-compose.yml.j2
    dest: "{{ gitea_data_dir }}/docker-compose.yml"
    mode: "0600"
  notify: Restart gitea

- name: Start gitea
  community.docker.docker_compose_v2:
    project_src: "{{ gitea_data_dir }}"
    state: present

# ─── Cloudflare Origin Certificate ───────────────────────────────────────────

- name: Create SSL directory
  file:
    path: /etc/nginx/ssl
    state: directory
    owner: root
    group: root
    mode: "0700"

- name: Install Cloudflare origin certificate
  copy:
    content: "{{ cf_origin_cert }}"
    dest: /etc/nginx/ssl/cf-origin.pem
    owner: root
    group: root
    mode: "0600"
  notify: Reload nginx

- name: Install Cloudflare origin key
  copy:
    content: "{{ cf_origin_key }}"
    dest: /etc/nginx/ssl/cf-origin.key
    owner: root
    group: root
    mode: "0600"
  notify: Reload nginx

# ─── nginx ────────────────────────────────────────────────────────────────────

- name: Deploy nginx config
  template:
    src: nginx.conf.j2
    dest: /etc/nginx/sites-available/gitea
    mode: "0644"
  notify: Reload nginx

- name: Enable nginx site
  file:
    src: /etc/nginx/sites-available/gitea
    dest: /etc/nginx/sites-enabled/gitea
    state: link
  notify: Reload nginx

- name: Remove nginx default site
  file:
    path: /etc/nginx/sites-enabled/default
    state: absent
  notify: Reload nginx

- name: Ensure nginx is started
  systemd:
    name: nginx
    enabled: true
    state: started

# ─── Registry (Let's Encrypt cert, DNS-only / no Cloudflare proxy) ────────────

- name: Install certbot and Cloudflare DNS plugin
  apt:
    name: [certbot, python3-certbot-dns-cloudflare]
    state: present

- name: Write Cloudflare credentials for certbot
  copy:
    content: |
      dns_cloudflare_api_token = {{ cloudflare_api_token }}
    dest: /etc/letsencrypt/cloudflare.ini
    owner: root
    group: root
    mode: "0600"

- name: Obtain Let's Encrypt cert for registry domain
  command: >
    certbot certonly
    --dns-cloudflare
    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
    --non-interactive
    --agree-tos
    --email {{ letsencrypt_email }}
    -d {{ gitea_registry_domain }}
  args:
    creates: /etc/letsencrypt/live/{{ gitea_registry_domain }}/fullchain.pem

- name: Deploy registry nginx config
  template:
    src: nginx-registry.conf.j2
    dest: /etc/nginx/sites-available/registry
    mode: "0644"
  notify: Reload nginx

- name: Enable registry nginx site
  file:
    src: /etc/nginx/sites-available/registry
    dest: /etc/nginx/sites-enabled/registry
    state: link
  notify: Reload nginx

- name: Enable certbot renewal timer
  systemd:
    name: certbot.timer
    enabled: true
    state: started