---
- hosts: all
  gather_facts: false
  tasks:
    - name: Load variables
      include_vars:
        dir: "{{ dokku_lib_root }}/data/ansible/gitea/vars/"
        extensions:
          - yml

    - name: Set HTTP 80 port proxy
      dokku_ports:
        app: gitea
        mappings:
          - "http:80:{{ http_port }}"
        state: present

    - name: Setup LE certificates
      shell: dokku letsencrypt gitea
      args:
        creates: /home/dokku/gitea/letsencrypt/certs

    - name: Setup LE certificates renew cron job
      shell: dokku letsencrypt:cron-job --add
      args:
        creates: /home/dokku/gitea/letsencrypt/cron-job

    - name: Remove automatically configured ports
      dokku_ports:
        app: gitea
        mappings:
          - "http:3000:3000"
          - "http:2222:2222"
        state: absent

    - name: Set HTTP 443 port
      dokku_ports:
        app: gitea
        mappings:
          - "https:443:{{ http_port }}"
        state: present

    - name: Ensure jq package is installed
      apt:
        name: jq
        state: present

    - name: Retrieve application container IP address
      shell: "dokku ps:inspect gitea | jq -r .[0].NetworkSettings.IPAddress"
      register: dokku_ps_inspect

    - name: Setup the SSH passthrough script
      vars:
        ssh_listen_port: "{{ ssh_listen_port }}"
        dokku_container_ip: "{{ dokku_ps_inspect.stdout }}"
      template:
        src: gitea.j2
        dest: /app/gitea/gitea
        owner: git
        group: git
        mode: "+x"
        force: true
      become: true

    - name: Store the git user public key
      shell: cat /home/git/.ssh/id_rsa.pub
      register: git_id_rsa_pub
      become: true

    - name: Store the gitea authorized_keys file
      shell: cat /var/lib/gitea/git/.ssh/authorized_keys
      register: git_auth_keys
      become: true

    - name: Check if the public key is already in place
      command: 'grep -Fxq "{{ git_id_rsa_pub.stdout}}" /var/lib/gitea/git/.ssh/authorized_keys'
      check_mode: false
      ignore_errors: true
      changed_when: false
      register: git_id_rsa_pub_check
      become: true

    - name: Ensure git public key is in gitea loaded authorized_keys
      blockinfile:
        path: /var/lib/gitea/git/.ssh/authorized_keys
        block: "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty {{ git_id_rsa_pub.stdout }}"
        state: present
        owner: git
        group: git
        create: true
        insertbefore: BOF
        backup: true
        marker: "# ansible inserted git <-> gitea public key"
      become: true
      when: git_id_rsa_pub_check.rc == 0

    - name: Symlink the gitea authorized keys configuration to the host git user
      file:
        src: /var/lib/gitea/git/.ssh/authorized_keys
        dest: /home/git/.ssh/authorized_keys
        state: link
        force: true
        owner: git
      become: true

    - name: Add git user to AllowUsers SSH configuration
      replace:
        backup: true
        dest: /etc/ssh/sshd_config
        regexp: '^(AllowUsers(?!.*\bgit\b).*)$'
        replace: '\1 git'