---
- name: create service configuration directories
  ansible.builtin.file:
    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0755"
  become: true
  with_items:
    - zammad-storage
    - zammad-var
    - zammad-backup
    - zammad-data
    - signal-cli-rest-api-data
    - bridge-postgresql-data
    - bridge-whatsapp-data
    - redis-data
    - postgresql-data

- name: create configuration directories where containers need to execute scripts
  ansible.builtin.file:
    path: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0777"
  become: true
  with_items:
    - zammad-config-nginx
    - opensearch-data

- name: install zammad railsserver database configuration file
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0444"
  become: true
  with_items:
    - zammad-database.yml

- name: install env configuration files
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    mode: "0600"
  become: true
  with_items:
    - common-zammad.env
    - common-bridge.env

- name: Set sysctl settings for elasticsearch
  sysctl:
    name: vm.max_map_count
    value: '262144'
    state: present
  become: true

- name: Set vm.overcommit_memory for Memcached
  sysctl:
    name: vm.overcommit_memory
    value: '1'
    state: present
  become: true

- name: install opensearch config
  ansible.builtin.copy:
    src: templates/opensearch-config.yml
    dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-config.yml"
    mode: "0444"
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
  become: true

- name: install podman quadlet for rootless podman user
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - link.container
    - zammad-opensearch.container
    - opensearch-dashboards.container
    - bridge-worker.container
    - bridge-postgresql.container
    - bridge-whatsapp.container
    - signal-cli-rest-api.container
    - zammad-init.container
    - zammad-nginx.container
    - zammad-railsserver.container
    - zammad-scheduler.container
    - zammad-postgresql.container
    - zammad-websocket.container
    - zammad-redis.container
    - zammad-memcached.container
  become: true


- name: install network quadlets for rootless podman user
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_link_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - frontend.network
    - link.network
  become: true

- name: verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_link_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"

- name: assert that the quadlet verification succeeded
  ansible.builtin.assert:
    that:
      - podman_link_quadlet_result.rc == 0
    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."

#- name: set up nginx
#  ansible.builtin.include_role:
#    name: irl.wip.podman_nginx
#  vars:
#    podman_nginx_frontend_network: frontend
#    podman_nginx_podman_rootless_user: "{{ podman_link_podman_rootless_user }}"
#    podman_nginx_primary_hostname: "{{ podman_link_web_hostname }}"
#    podman_nginx_systemd_service_slice: "link.slice"
#    podman_nginx_systemd_service_requires: ["zammad-nginx"]
#
#
#- name: create nginx configuration file
#  ansible.builtin.template:
#    src: nginx.conf
#    dest: "/home/{{ podman_link_podman_rootless_user }}/nginx/nginx.conf"
#    owner: "{{ podman_link_podman_rootless_user }}"
#    group: "{{ podman_link_podman_rootless_user }}"
#    mode: "0644"
#  become: true

- name: install services slice for rootless podman user
  ansible.builtin.template:
    src: "link.slice"
    dest: "/home/{{ podman_link_podman_rootless_user }}/.config/systemd/user/link.slice"
    owner: "{{ podman_link_podman_rootless_user }}"
    group:  "{{ podman_link_podman_rootless_user }}"
    mode: "0655"
  become: true

- name: make sure services are started on boot
  ansible.builtin.systemd_service:
    name: "link.slice"
    enabled: true
    state: started
    daemon_reload: true
    scope: user
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"
  notify:
    - "restart link.slice"


- name: set es verify false
  ansible.builtin.shell: >
    podman exec zammad-railsserver rails r "Setting.set('es_ssl_verify', false)"
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"
  notify:
    - "restart link.slice"
  register: es_ssl_result
  retries: 20
  delay: 5
  until: es_ssl_result.rc == 0

- name: Run OpenSearch setup script
  ansible.builtin.shell: |
    podman exec zammad-opensearch /bin/sh -c '
      if [ ! -f /tmp/.securityadmin_done ]; then
        chmod +x /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh && \
        /usr/share/opensearch/plugins/opensearch-security/tools/securityadmin.sh \
          -cd /usr/share/opensearch/config/opensearch-security/ \
          -icl \
          -key /usr/share/opensearch/config/kirk-key.pem \
          -cert /usr/share/opensearch/config/kirk.pem \
          -cacert /usr/share/opensearch/config/root-ca.pem \
          -nhnv && \
        touch /tmp/.securityadmin_done
      fi
    '
  become: true
  become_user: "{{ podman_link_podman_rootless_user }}"
  register: securityadmin_scipt_result
  retries: 20
  delay: 5
  until: securityadmin_scipt_result.rc == 0
  notify:
    - "restart link.slice"

- name: set up nginx
  ansible.builtin.include_role:
    name: irl.wip.podman_nginx
  vars:
    podman_nginx_frontend_network: frontend
    podman_nginx_podman_rootless_user: "{{ podman_link_podman_rootless_user }}"
    podman_nginx_primary_hostname: "{{ podman_link_web_hostname }}"
    podman_nginx_systemd_service_slice: link.slice
    podman_nginx_systemd_service_requires: ["zammad-nginx"]
#    podman_nginx_additional_volumes:
#      - src: "/home/{{ podman_cleaninsights_podman_rootless_user }}/matomo"
#        dest: "/var/www/html"
#        options: "ro"

- name: create nginx configuration file
  ansible.builtin.template:
    src: nginx.conf
    dest: "/home/{{ podman_link_podman_rootless_user }}/nginx/nginx.conf"
    owner: "{{ podman_link_podman_rootless_user }}"
    group: "{{ podman_link_podman_rootless_user }}"
    mode: "0644"
  become: true
  notify:
    - "restart link.slice"