---
# Nginx vhosts for WetGIT
# IMPORTANT: Only adds vhost configs. Does NOT touch global nginx.conf
# (managed by dt-platform's nginx role).
#
# Strategy: Deploy HTTP-only first → get SSL certs → deploy full HTTPS config.

# --- Step 1: Check existing SSL certificates ---

- name: Check if API SSL certificate exists
  stat:
    path: "/etc/letsencrypt/live/{{ server_name }}/fullchain.pem"
  register: ssl_cert_api

- name: Check if Forgejo SSL certificate exists
  stat:
    path: "/etc/letsencrypt/live/{{ forgejo_domain }}/fullchain.pem"
  register: ssl_cert_git

# --- Step 2: Deploy HTTP-only configs for domains without certs ---

- name: Deploy API HTTP-only vhost (pre-SSL)
  copy:
    content: |
      # Temporary HTTP-only config for SSL provisioning — managed by Ansible
      server {
          listen 80;
          listen [::]:80;
          server_name {{ server_name }};
          location /.well-known/acme-challenge/ { root /var/www/certbot; }
          location / { return 503; }
      }
    dest: /etc/nginx/sites-available/wetgit-api.conf
    owner: root
    group: root
    mode: "0644"
  when: not ssl_cert_api.stat.exists
  notify: reload nginx

- name: Deploy Forgejo HTTP-only vhost (pre-SSL)
  copy:
    content: |
      # Temporary HTTP-only config for SSL provisioning — managed by Ansible
      server {
          listen 80;
          listen [::]:80;
          server_name {{ forgejo_domain }};
          location /.well-known/acme-challenge/ { root /var/www/certbot; }
          location / { return 503; }
      }
    dest: /etc/nginx/sites-available/wetgit-git.conf
    owner: root
    group: root
    mode: "0644"
  when: not ssl_cert_git.stat.exists
  notify: reload nginx

# --- Step 3: Enable vhosts and reload nginx ---

- name: Enable API vhost
  file:
    src: /etc/nginx/sites-available/wetgit-api.conf
    dest: /etc/nginx/sites-enabled/wetgit-api.conf
    state: link
  notify: reload nginx

- name: Enable Forgejo vhost
  file:
    src: /etc/nginx/sites-available/wetgit-git.conf
    dest: /etc/nginx/sites-enabled/wetgit-git.conf
    state: link
  notify: reload nginx

# Force handler to run now so nginx has the HTTP configs before certbot
- name: Flush handlers (reload nginx for certbot)
  meta: flush_handlers

# --- Step 4: Obtain SSL certificates via webroot ---

- name: Obtain SSL certificate for {{ server_name }}
  command: >
    certbot certonly --webroot
    -w /var/www/certbot
    -d {{ server_name }}
    --non-interactive --agree-tos
    --email coornhert@wetgit.nl
  when: not ssl_cert_api.stat.exists
  register: certbot_api

- name: Obtain SSL certificate for {{ forgejo_domain }}
  command: >
    certbot certonly --webroot
    -w /var/www/certbot
    -d {{ forgejo_domain }}
    --non-interactive --agree-tos
    --email coornhert@wetgit.nl
  when: not ssl_cert_git.stat.exists
  register: certbot_git

# --- Step 5: Deploy full HTTPS configs ---

- name: Deploy API nginx vhost (full HTTPS)
  template:
    src: wetgit-api.conf.j2
    dest: /etc/nginx/sites-available/wetgit-api.conf
    owner: root
    group: root
    mode: "0644"
  notify: reload nginx

- name: Deploy Forgejo nginx vhost (full HTTPS)
  template:
    src: wetgit-git.conf.j2
    dest: /etc/nginx/sites-available/wetgit-git.conf
    owner: root
    group: root
    mode: "0644"
  notify: reload nginx