---
- hosts: git.example.com
  user: root

  tasks:

  - include_vars: vars/all.yml

  - name: Install Prerequisites
    apt:
      name: "{{ item }}"
      state: present
      update_cache: yes
    with_items:
      - git
      - postgresql
      - fail2ban
      - python-psycopg2
      - python3-psycopg2
      - nginx
      - certbot
      - python-certbot-nginx

  - name: Create Gitea Database
    become: yes
    become_user: postgres
    postgresql_db:
      name: "{{ gitea_db }}"

  - name: Prepare a Postgresql User
    become: yes
    become_user: postgres
    postgresql_user:
      db: "{{ gitea_db }}"
      name: "{{ gitea_db_user }}"
      password: "{{ lookup('password', '/tmp/{{ gitea_db_user }}.pass chars=ascii_letters,digits length=32') }}"
      priv: "ALL"
      encrypted: yes
      expires: infinity
  
  - name: Get Gitea checksum file
    local_action:
      module: get_url
      url: "https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64.sha256"
      dest: "/tmp"

  - name: Get Gitea
    get_url:
      url: https://dl.gitea.io/gitea/{{ gitea_version }}/gitea-{{ gitea_version }}-linux-amd64
      dest: "/usr/local/bin/gitea"
      mode: +x
      checksum: "sha256:{{ lookup('file', '/tmp/gitea-{{ gitea_version }}-linux-amd64.sha256').split()[0] }}"

  - name: Create git user
    user:
      name: git
      comment: GIT Version Control
      shell: /bin/bash
      system: yes
      home: /home/git

  - name: Create Ditectory Structure
    file:
      path: "{{ item.path }}"
      owner: "{{ item.owner }}"
      group: "{{ item.group }}"
      mode: "{{ item.mode }}"
      state: directory
    with_items:
      - { path: /var/lib/gitea/custom, owner: root, group: root, mode: 755}
      - { path: /var/lib/gitea/public, owner: root, group: root, mode: 755}
      - { path: /var/lib/gitea/data, owner: git, group: git, mode: 750}
      - { path: /var/lib/gitea/indexers, owner: git, group: git, mode: 750}
      - { path: /var/lib/gitea/log, owner: git, group: git, mode: 750}
      - { path: /etc/gitea, owner: root, group: git, mode: 770}

  - name: Create a Gitea service
    template:
      src: templates/gitea.service.j2
      dest: /etc/systemd/system/gitea.service

  - name: Reload systemd
    command: systemctl daemon-reload

  - name: Start Gitea
    service:
      name: gitea
      enabled: yes
      state: started

  - name: Deploy Nginx HTTP vhost
    template:
      src: "{{ item.source }}"
      dest: "{{ item.destination }}"
    with_items:
      - { source: "templates/nginx_vhost.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }

  - name: Enable Gitea vhost
    file: 
      src: "/etc/nginx/sites-available/{{ gitea_fqdn }}"
      dest: "/etc/nginx/sites-enabled/{{ gitea_fqdn }}"
      state: link
    notify:
      - Disable Default vhost
      - Restart Nginx

  - name: Configure UFW
    ufw:
      rule: allow
      proto: tcp
      direction: in
      to_port: "{{ item }}"
      dest: any
      src: any
    with_items:
      - 80
      - 443

  - name: Fetch app.ini
    fetch:
      src: /etc/gitea/app.ini
      dest: /tmp/gitea-app.ini
      flat: yes

  - name: Get INTERNAL_TOKEN
    set_fact:
      gitea_internal_token: "{{ (lookup('file', '/tmp/gitea-app.ini')|regex_search('(INTERNAL_TOKEN.*)')).split()[2] }}"

  - name: Deploy Gitea configuration
    template:
      src: templates/app.ini.j2
      dest: /etc/gitea/app.ini
    notify:
     - Restart Gitea

  - name: Create the .well-known directory
    file:
      path: /var/www/html/.well-known
      owner: www-data
      group: www-data
      state: directory

  - name: Generate a Let's encrypt certificate
    command: |
      certbot \
      certonly \
      --webroot \
      --webroot-path /var/www/html/ \
      --installer nginx \
      --non-interactive \
      --quiet \
      --domains {{ gitea_fqdn }} \
      --agree-tos \
      -m theo@theo-andreou.org
    args:
      creates: "/etc/letsencrypt/live/{{ gitea_fqdn }}/fullchain.pem"

  - name: Deploy Nginx configuration and certificates
    template:
      src: "{{ item.source }}"
      dest: "{{ item.destination }}"
    with_items:
      - { source: "templates/nginx_vhost_tls.j2", destination: "/etc/nginx/sites-available/{{ gitea_fqdn }}" }
    notify:
      - Restart Nginx

  - name: Fail2Ban configuration for Gitea
    template:
      src: "{{ item.source }}"
      dest: "{{ item.destination }}"
    with_items:
      - { source: "templates/f2b-gitea.conf.j2", destination: "/etc/fail2ban/filter.d/gitea.conf" }
      - { source: "templates/f2b-gitea.local.j2", destination: "/etc/fail2ban/jail.d/jail.local" }
    notify:
      - Restart Fail2Ban

  handlers:

  - name: Disable Default vhost
    file:
      path: /etc/nginx/sites-enabled/default
      state: absent

  - name: Restart Nginx
    service:
      name: nginx
      state: restarted

  - name: Restart Gitea
    service:
      name: gitea
      enabled: yes
      state: restarted

  - name: Restart Fail2Ban
    service:
      name: fail2ban
      state: restarted