---
# Vaultwarden Password Manager Role - Main Tasks
# Self-contained deployment with Podman and Unix sockets

- name: Setup vaultwarden user and directories
  include_tasks: user.yml
  tags: [user, setup]

- name: Setup database access and permissions
  include_tasks: database.yml
  tags: [database, setup]

- name: Pull vaultwarden container image
  containers.podman.podman_image:
    name: "{{ vaultwarden_image }}:{{ vaultwarden_version }}"
    state: present
  tags: [containers, image-pull]

- name: Hash admin token on host
  include_tasks: hash_admin_token.yml
  tags: [config, admin-token]

- name: Deploy environment configuration
  template:
    src: vaultwarden.env.j2
    dest: "{{ vaultwarden_home }}/.env"
    owner: "{{ vaultwarden_user }}"
    group: "{{ vaultwarden_group }}"
    mode: '0600'
    backup: true
  notify:
    - restart vaultwarden
  tags: [config]

- name: Create Quadlet systemd directory
  file:
    path: /etc/containers/systemd
    state: directory
    mode: '0755'

- name: Deploy Quadlet container file 
  template:
    src: vaultwarden.container
    dest: /etc/containers/systemd/vaultwarden.container
    mode: '0644'
  notify:
    - reload systemd
    - restart vaultwarden
  tags: [containers, deployment]

- name: Deploy Caddy configuration
  template:
    src: vaultwarden.caddy.j2
    dest: "{{ caddy_sites_enabled_dir }}/vaultwarden.caddy"
    owner: root
    group: "{{ caddy_user }}"
    mode: '0644'
    backup: true
  notify: reload caddy
  tags: [caddy, reverse-proxy]

- name: Ensure PostgreSQL is running
  systemd:
    name: postgresql
    state: started

- name: Wait for PostgreSQL socket to be ready
  wait_for:
    path: "{{ postgresql_unix_socket_directories }}/.s.PGSQL.{{ postgresql_port }}"
    timeout: 30
  when: postgresql_unix_socket_enabled

- name: Enable and start Vaultwarden service (system scope)
  systemd:
    name: vaultwarden
    enabled: "{{ vaultwarden_service_enabled }}"
    state: "{{ vaultwarden_service_state }}"
    daemon_reload: true
  tags: [containers, service]

- name: Wait for Vaultwarden to be ready
  uri:
    url: "http://127.0.0.1:{{ vaultwarden_http_port }}/"
    method: GET
    status_code: [200, 302]
    timeout: 30
  retries: 10
  delay: 15
  register: vaultwarden_health_check
  tags: [verification, health-check]

- name: Display Vaultwarden deployment status
  debug:
    msg: |
      Vaultwarden Password Manager deployed successfully!
      
      Domain: {{ vaultwarden_domain }}
      Database: {{ vaultwarden_db_name }} (Unix socket)
      Container: {{ vaultwarden_image }}:{{ vaultwarden_version }}
      Admin Panel: https://{{ vaultwarden_domain }}/admin
      
      Ready for user registration and password management!
      
      Next Steps:
      - Access https://{{ vaultwarden_domain }}/admin with your admin token
      - Configure additional settings (SMTP, SSO, etc.)
      - Invite users or create accounts
  tags: [verification]