---
- name: Podman Headscale | PATCH | Install data plate
  ansible.builtin.template:
    src: etc/motd.d/10-data-plate.txt
    dest: /etc/motd.d/10-data-plate.txt
    owner: root
    group: root
    mode: "0444"
  become: true

- name: Podman Headscale | PATCH | Install podman and verify rootless podman user
  ansible.builtin.include_role:
    role: sr2c.core.podman_host
  vars:
    podman_host_minimum_unpriv_port: 80
    podman_host_rootless_users: ["{{ podman_headscale_podman_rootless_user }}"]

- name: Podman Headscale | AUDIT | Get subuid range for user
  ansible.builtin.command:
    cmd: "getsubids {{ podman_headscale_podman_rootless_user }}"
  register: _podman_headscale_user_subuid
  changed_when: false

- name: Podman Headscale | AUDIT | Get subgid range for user
  ansible.builtin.command:
    cmd: "getsubids -g {{ podman_headscale_podman_rootless_user }}"
  register: _podman_headscale_user_subgid
  changed_when: false

- name: Podman Headscale | AUDIT | Parse outputs of getsubids and store results
  ansible.builtin.set_fact:
    _podman_headscale_user_subuid_start: "{{ _podman_headscale_user_subuid.stdout_lines[0].split()[2] }}"
    _podman_headscale_user_subgid_start: "{{ _podman_headscale_user_subgid.stdout_lines[0].split()[2] }}"

# Headscale runs with UID/GID 0 inside the container
# TODO: let's fix the above
- name: Podman Headscale | PATCH | Create configuration directory for Headscale
  ansible.builtin.file:
    path: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-config"
    owner: "{{ podman_headscale_podman_rootless_user }}"
    group: "{{ podman_headscale_podman_rootless_user }}"
    mode: "0700"
    state: "directory"
  become: true

- name: Podman Headscale | PATCH | Create data directory for Headscale
  ansible.builtin.file:
    path: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-data"
    owner: "{{ podman_headscale_podman_rootless_user }}"
    group: "{{ podman_headscale_podman_rootless_user }}"
    mode: "0700"
    state: "directory"
  become: true

- name: Podman Headscale | PATCH | Install Headscale configuration
  ansible.builtin.template:
    src: "home/podman/{{ item }}/headscale-config"
    dest: "/home/{{ podman_headscale_podman_rootless_user }}/{{ item }}/headscale-config"
    mode: "0400"
    owner: "{{ (_podman_headscale_user_subuid_start | int) + 65533 }}"
    group: "{{ (_podman_headscale_user_subgid_start | int) + 65533 }}"
  become: true
  with_items:
    - acls.hujson
    - config.yaml
  notify:
    - Restart Headscale

- name: Podman Headscale | PATCH | Install container quadlets
  ansible.builtin.template:
    src: "home/podman/config/containers/systemd/{{ item }}"
    dest: "/home/{{ podman_headscale_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_headscale_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - headscale.container
  become: true
  notify:
    - Restart Headscale

- name: Podman Headscale | PATCH | Install network quadlets
  ansible.builtin.template:
    src: "home/podman/config/containers/systemd/{{ item }}"
    dest: "/home/{{ podman_headscale_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_headscale_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - headscale.network
  become: true
  notify:
    - Restart Headscale

- name: Podman Headscale | AUDIT | Verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_prometheus_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_headscale_podman_rootless_user }}"

- name: Podman Headscale | AUDIT | Assert that the quadlet verification succeeded
  ansible.builtin.assert:
    that:
      - podman_prometheus_quadlet_result.rc == 0
    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."

- name: Podman Headscale | PATCH | Make sure Headscale is running now and started on boot
  ansible.builtin.systemd_service:
    name: "{{ item }}.service"
    enabled: true
    state: started
    masked: false
    daemon_reload: true
    scope: user
  with_items:
    - headscale
  become: true
  become_user: "{{ podman_headscale_podman_rootless_user }}"

- name: Podman Headscale | PATCH | Set up ClouDNS monitoring
  sr2c.core.cloudns_monitor:
    name: "Headscale - {{ podman_headscale_web_hostname[:20] }}"
    host: "{{ inventory_hostname }}"
    ip: "{{ inventory_hostname }}"
    http_status_code: "200"
    emails: "{{ cloudns_monitoring_emails }}"
    auth_id: "{{ cloudns_auth_id }}"
    auth_password: "{{ cloudns_auth_password }}"
  delegate_to: localhost