# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
#
# SPDX-License-Identifier: AGPL-3.0-only

---

- name: Ensure XMPP server is set up
  hosts: xmpp_server
  tasks:
   - name: Ensure required packages are installed
     ansible.builtin.package:
      name:
       - borgmatic
       - certbot
       - prosody
       - prosody-modules
       - python3-certbot-apache
       - ufw
      state: present
   - name: Ensure required ports are open
     community.general.ufw:
      rule: allow
      name: "{{ item }}"
      state: enabled
     loop:
      - OpenSSH
      - WWW
      - XMPP
     become: true
   - name: Ensure certbot on-renew hook is installed
     ansible.builtin.copy:
      src: "{{ playbook_dir }}/files/on_renew.sh"
      dest: /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
      owner: root
      group: root
      mode: "0755"
     become: true
   - name: Ensure certificates are installed
     ansible.builtin.command: >-
      certbot --non-interactive --agree-tos --post-hook "/bin/true"
      --email {{ certbot_email }} --no-eff-email --apache
      --domains {{ virtual_host }}
     become: true
     register: certbot
     changed_when: "'Running post-hook command' in certbot.stdout"
   - name: Ensure top-level prosody configuration is installed
     ansible.builtin.copy:
      src: "{{ playbook_dir }}/files/prosody.cfg.lua"
      dest: /etc/prosody/prosody.cfg.lua
      owner: root
      group: prosody
      mode: "0640"
     become: true
     notify: Reload prosody
   - name: Ensure host-specific prosody configuration is available
     ansible.builtin.template:
      src: "{{ playbook_dir }}/files/virtual_host.cfg.lua.j2"
      dest: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
      owner: root
      group: prosody
      mode: "0644"
     become: true
     notify: Reload prosody
   - name: Ensure host-specific prosody configuration is set
     ansible.builtin.file:
      src: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
      dest: "/etc/prosody/conf.d/{{ virtual_host }}.cfg.lua"
      owner: root
      group: prosody
      state: link
     become: true
     notify: Reload prosody
   - name: Ensure prosody is enabled
     ansible.builtin.service:
      name: prosody
      enabled: true
     become: true
   - name: Ensure borgmatic private key is installed
     ansible.builtin.copy:
      src: "{{ borg_private_key_path }}"
      dest: /root/.ssh/borg_key
      owner: root
      group: root
      mode: "0600"
     become: true
   - name: Ensure borgmatic is configured
     ansible.builtin.template:
      src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2"
      dest: "/etc/borgmatic/config.yaml"
      owner: root
      group: root
      mode: "0600"
     become: true
     notify: Validate borgmatic config

  handlers:
   - name: Reload prosody
     ansible.builtin.service:
      name: prosody
      state: reloaded
     become: true
   - name: Validate borgmatic config
     ansible.builtin.command: validate-borgmatic-config
     become: true
     changed_when: false