---
- name: Podman Prometheus | PATCH | Install data plate
  ansible.builtin.template:
    src: etc/motd.d/10-data-plate.txt
    dest: /etc/motd.d/10-data-plate.txt
    owner: root
    group: root
    mode: "0444"
  become: true

- name: Podman Prometheus | PATCH | Install podman and verify rootless podman user
  ansible.builtin.include_role:
    role: sr2c.core.podman_host
  vars:
    podman_host_minimum_unpriv_port: 80
    podman_host_rootless_users: ["{{ podman_prometheus_podman_rootless_user }}"]

- name: Podman Prometheus | AUDIT | Get subuid range for user
  ansible.builtin.command:
    cmd: "getsubids {{ podman_prometheus_podman_rootless_user }}"
  register: _podman_prometheus_user_subuid
  changed_when: false

- name: Podman Prometheus | AUDIT | Get subgid range for user
  ansible.builtin.command:
    cmd: "getsubids -g {{ podman_prometheus_podman_rootless_user }}"
  register: _podman_prometheus_user_subgid
  changed_when: false

- name: Podman Prometheus | AUDIT | Parse outputs of getsubids and store results
  ansible.builtin.set_fact:
    _podman_prometheus_user_subuid_start: "{{ (_podman_prometheus_user_subuid.stdout_lines[0].split()[2] | int) }}"
    _podman_prometheus_user_subgid_start: "{{ (_podman_prometheus_user_subgid.stdout_lines[0].split()[2] | int) }}"

# Prometheus runs with UID/GID 65534 inside the container
- name: Podman Prometheus | PATCH | Create data directory for Prometheus
  ansible.builtin.file:
    path: "/home/{{ podman_prometheus_podman_rootless_user }}/prometheus-data"
    owner: "{{ _podman_prometheus_user_subuid_start + 65533 }}"
    group: "{{ _podman_prometheus_user_subgid_start + 65533 }}"
    mode: "0700"
    state: "directory"
  become: true

# Prometheus runs with UID/GID 65534 inside the container
- name: Podman Prometheus | PATCH | Create service discovery directory for Prometheus
  ansible.builtin.file:
    path: "/home/{{ podman_prometheus_podman_rootless_user }}/file-configs"
    owner: "{{ _podman_prometheus_user_subuid_start + 65533 }}"
    group: "{{ _podman_prometheus_user_subgid_start + 65533 }}"
    mode: "0700"
    state: "directory"
  become: true

# Prometheus runs with UID/GID 65534 inside the container
- name: Podman Prometheus | PATCH | Install Prometheus configuration
  ansible.builtin.template:
    src: home/podman/prometheus.yml
    dest: "/home/{{ podman_prometheus_podman_rootless_user }}/prometheus.yml"
    mode: "0400"
    owner: "{{ _podman_prometheus_user_subuid_start + 65533 }}"
    group: "{{ _podman_prometheus_user_subgid_start + 65533 }}"
  become: true
  notify:
    - Restart Prometheus

- name: Podman Prometheus | PATCH | Install container quadlets
  ansible.builtin.template:
    src: "home/podman/config/containers/systemd/{{ item }}"
    dest: "/home/{{ podman_prometheus_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_prometheus_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - prometheus.container
  become: true
  notify:
    - Restart Prometheus

- name: Podman Prometheus | PATCH | Install network quadlets
  ansible.builtin.template:
    src: "home/podman/config/containers/systemd/{{ item }}"
    dest: "/home/{{ podman_prometheus_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_prometheus_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - frontend.network
  become: true
  notify:
    - Restart Prometheus
    - Restart nginx

- name: Podman Prometheus | AUDIT | Verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_prometheus_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_prometheus_podman_rootless_user }}"

- name: Podman Prometheus | AUDIT | Assert that the quadlet verification succeeded
  ansible.builtin.assert:
    that:
      - podman_prometheus_quadlet_result.rc == 0
    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."

- name: Podman Prometheus | PATCH | Set up nginx and Let's Encrypt certificate
  ansible.builtin.include_role:
    name: sr2c.core.podman_nginx
  vars:
    podman_nginx_frontend_network: frontend
    podman_nginx_podman_rootless_user: "{{ podman_prometheus_podman_rootless_user }}"
    podman_nginx_primary_hostname: "{{ inventory_hostname }}"

- name: Podman Prometheus | PATCH | Install production nginx configuration file
  ansible.builtin.template:
    src: home/podman/nginx.conf
    dest: "/home/{{ podman_prometheus_podman_rootless_user }}/nginx/nginx.conf"
    owner: "{{ podman_prometheus_podman_rootless_user }}"
    group: "{{ podman_prometheus_podman_rootless_user }}"
    mode: "0644"
  become: true
  notify:
    - Restart nginx

- name: Podman Prometheus | PATCH | Make sure Prometheus and Nginx are running now and started on boot
  ansible.builtin.systemd_service:
    name: "{{ item }}.service"
    enabled: true
    state: started
    masked: false
    daemon_reload: true
    scope: user
  with_items:
    - nginx
    - prometheus
  become: true
  become_user: "{{ podman_prometheus_podman_rootless_user }}"

- name: Podman Prometheus | PATCH | Set up ClouDNS monitoring
  sr2c.core.cloudns_monitor:
    name: "Prometheus - {{ inventory_hostname[:19] }}"
    host: "{{ inventory_hostname }}"
    ip: "{{ inventory_hostname }}"
    http_status_code: "200"
    emails: "{{ cloudns_monitoring_emails }}"
    auth_id: "{{ cloudns_auth_id }}"
    auth_password: "{{ cloudns_auth_password }}"
  delegate_to: localhost