---
# Gitea Dedicated SSH Server Configuration - Rick-Infra
# Configures Gitea to run its own SSH server on port 2222
# This is the fallback mode when passthrough is not desired

- name: Configure firewall for Gitea SSH (dedicated mode)
  import_tasks: firewall.yml
  tags: ['firewall']

- name: Configure fail2ban for Gitea SSH (dedicated mode)
  import_tasks: fail2ban.yml
  tags: ['fail2ban', 'security']

- name: Wait for fail2ban to be ready
  pause:
    seconds: 2

- name: Verify gitea-ssh jail is active
  command: fail2ban-client status gitea-ssh
  register: gitea_jail_status
  changed_when: false
  failed_when: false

- name: Display fail2ban protection status
  debug:
    msg: |
      🛡️  Gitea SSH fail2ban protection:
      {% if gitea_jail_status.rc == 0 %}
      ✅ gitea-ssh jail is ACTIVE
      {{ gitea_jail_status.stdout }}
      {% else %}
      ⚠️  WARNING: gitea-ssh jail not active!
      This is a security risk - port {{ gitea_ssh_port }} is vulnerable to brute force attacks.
      {% endif %}

- name: Fail if gitea-ssh jail is not running (security critical)
  fail:
    msg: |
      SECURITY ERROR: gitea-ssh fail2ban jail is not active!
      Port {{ gitea_ssh_port }} is exposed but not protected.
      Check fail2ban configuration and logs.
  when: gitea_jail_status.rc != 0

- name: Remove SSH passthrough configuration if present
  blockinfile:
    path: /etc/ssh/sshd_config
    marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH Passthrough"
    state: absent
    backup: yes
  register: sshd_config_cleaned
  notify: restart sshd

- name: Remove AuthorizedKeysCommand script if present
  file:
    path: /usr/local/bin/gitea-keys
    state: absent

- name: Display dedicated mode configuration
  debug:
    msg: |
      🔧 Gitea SSH Mode: DEDICATED
      ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
      📍 SSH Server: Gitea built-in (port {{ gitea_ssh_port }})
      🔗 Clone URL: ssh://git@{{ gitea_ssh_domain }}:{{ gitea_ssh_port }}/user/repo.git
      🔥 Firewall: Port {{ gitea_ssh_port }} opened (nftables)
      🛡️  fail2ban: gitea-ssh jail protecting port {{ gitea_ssh_port }}
      
      Test connection:
        ssh -T -p {{ gitea_ssh_port }} git@{{ gitea_ssh_domain }}
      
      Clone repository:
        git clone ssh://git@{{ gitea_ssh_domain }}:{{ gitea_ssh_port }}/username/repo.git

# Rick-Infra: Self-contained dedicated SSH mode with full security