# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
#
# SPDX-License-Identifier: AGPL-3.0-only

---

- name: Ensure XMPP server is set up
  hosts: xmpp_server
  tasks:

   # We specifically use apt instead of the more general package module here,
   # because we want to ensure the cache is updated before we try and install
   # anything. This is needed because, on a freh Debian install on AWS
   # Lightsail (as of 2024-02-08), nothing was returned after running apt
   # search borgmatic. Updating the cache before running apt install solved
   # this issue, but the package module does not support this functionality.
   - name: Ensure required packages are installed
     ansible.builtin.apt:
      name:
       - borgmatic  # Backups
       - coturn  # Audio / video calling server
       - lua-dbi-postgresql  # Prosody postgres connection
       - postgresql  # Database
       - prosody  # XMPP server
       - prosody-modules  # Extra addons
       - python3-psycopg2  # Used by ansible postgres role
       - ufw  # Firewall
      state: present
      update_cache: true
     become: true

   - name: Ensure required ports with ufw applications are open
     community.general.ufw:
      rule: allow
      name: "{{ item }}"
      state: enabled
     loop:
      - OpenSSH
      - Turnserver
      - WWW
      - XMPP
     become: true

   - name: Ensure other required tcp ports are open
     community.general.ufw:
      rule: allow
      port: "{{ item }}"
      proto: tcp
      state: enabled
     loop:
      - 5000  # XEP-0065
      - 5223  # XEP-0368
      - 5270  # XEP-0368
      - 5280  # XEP-0363
      - 5281  # XEP-0363
      # - 5432  # Postgres
     become: true

   - name: Ensure other udp ports are open
     community.general.ufw:
      rule: allow
      port: "{{ item }}"
      proto: udp
      state: enabled
     loop:
      - 5000  # XEP-0065
      - 5280  # XEP-0363
      - 5281  # XEP-0363
     become: true

   - name: Ensure turn is configured
     ansible.builtin.template:
      src: "{{ playbook_dir }}/files/turnserver.conf.j2"
      dest: /etc/turnserver.conf
      owner: root
      group: prosody
      mode: "0640"
     become: true
     notify: Reload coturn

   - name: Ensure prosody database is set up
     community.postgresql.postgresql_db:
      name: prosody
     become: true
     become_user: postgres

   - name: Ensure prosody role is created
     community.postgresql.postgresql_user:
      db: prosody
      name: prosody
     become: true
     become_user: postgres

   - name: Ensure prosody schema is created
     community.postgresql.postgresql_schema:
      db: prosody
      name: prosody
      owner: prosody
     become: true
     become_user: postgres
     register: my_result

   - name: Ensure prosody user exists on database
     community.postgresql.postgresql_user:
      name: prosody
     become: true
     become_user: postgres

   - name: Ensure prosody user has permissions on database
     community.postgresql.postgresql_privs:
      type: database
      database: prosody
      privs: ALL
      roles: prosody
     become: true
     become_user: postgres

   - name: Ensure prosody user has permissions on schema
     community.postgresql.postgresql_privs:
      type: table
      database: prosody
      objs: ALL_IN_SCHEMA
      privs: ALL
      roles: prosody
     become: true
     become_user: postgres

   - name: Ensure top-level prosody configuration is installed
     ansible.builtin.template:
      src: "{{ playbook_dir }}/files/prosody.cfg.lua.j2"
      dest: /etc/prosody/prosody.cfg.lua
      owner: root
      group: prosody
      mode: "0640"
     become: true
     notify: Reload prosody

   - name: Ensure host-specific prosody configuration is available
     ansible.builtin.template:
      src: "{{ playbook_dir }}/files/virtual_host.cfg.lua.j2"
      dest: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
      owner: root
      group: prosody
      mode: "0644"
     become: true
     notify: Reload prosody

   - name: Ensure host-specific prosody configuration is set
     ansible.builtin.file:
      src: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
      dest: "/etc/prosody/conf.d/{{ virtual_host }}.cfg.lua"
      owner: root
      group: prosody
      state: link
     become: true
     notify: Reload prosody

   - name: Ensure prosody is enabled
     ansible.builtin.service:
      name: prosody
      enabled: true
     become: true

   - name: Ensure borgmatic private key is installed
     ansible.builtin.copy:
      src: "{{ borg_private_key_path }}"
      dest: /root/.ssh/borg_key
      owner: root
      group: root
      mode: "0600"
     become: true

   - name: Ensure borgmatic config directory exists
     ansible.builtin.file:
      path: /etc/borgmatic
      state: directory
      owner: root
      group: root
      mode: "0700"
     become: true

   - name: Ensure borgmatic is configured
     ansible.builtin.template:
      src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2"
      dest: "/etc/borgmatic/config.yaml"
      owner: root
      group: root
      mode: "0600"
      validate: validate-borgmatic-config --config %s
     become: true

  handlers:

   - name: Reload prosody
     ansible.builtin.service:
      name: prosody
      state: reloaded
     become: true

   - name: Reload coturn
     ansible.builtin.service:
      name: coturn
      state: restarted
     become: true