---
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# shithubd app role: installs the binary, env files, systemd units.
# Binary is built locally and uploaded — no in-place compile on prod.

- name: Repo + temp dirs on the block volume
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ shithub_user }}"
    group: "{{ shithub_group }}"
    mode: "0750"
  loop:
    - "{{ shithub_data_root }}/repos"
    - "{{ shithub_data_root }}/tmp"
    - /var/lib/shithub/binaries

- name: Upload shithubd binary (built by `make deploy` locally)
  copy:
    src: "{{ playbook_dir }}/../../bin/shithubd"
    dest: "/usr/local/bin/shithubd"
    mode: "0755"
    owner: root
    group: root

- name: Archive a versioned copy under /var/lib/shithub/binaries (rollback path)
  shell: cp /usr/local/bin/shithubd /var/lib/shithub/binaries/shithubd-$(date +%Y%m%d-%H%M%S)
  args:
    creates: /var/lib/shithub/binaries/shithubd-{{ ansible_date_time.iso8601_basic_short }}

- name: Config dir — ensure /etc/shithub exists
  # 0750 with shithub group: shithub user has full RW; group members
  # (shithub-worker AND `git` for the SSH-shell wrapper) can traverse
  # + read group-readable files inside.
  file:
    path: /etc/shithub
    state: directory
    owner: "{{ shithub_user }}"
    group: "{{ shithub_group }}"
    mode: "0750"

- name: Runtime object storage config is complete when enabled
  assert:
    that:
      - (s3_endpoint | default("") | string | length) > 0
      - (s3_bucket | default("") | string | length) > 0
      - (s3_access_key_id | default("") | string | length) > 0
      - (s3_secret_access_key | default("") | string | length) > 0
    fail_msg: >-
      Runtime object storage is partially configured. Set s3_endpoint,
      s3_bucket, s3_access_key_id, and s3_secret_access_key for the
      DigitalOcean Spaces bucket, or leave all s3_* variables unset to
      disable avatar uploads.
  when: >
    (s3_endpoint | default("") | string | length) > 0 or
    (s3_bucket | default("") | string | length) > 0 or
    (s3_access_key_id | default("") | string | length) > 0 or
    (s3_secret_access_key | default("") | string | length) > 0

- name: Web env file (0640 — group-readable for ssh-shell wrapper)
  # The git user (running ssh-shell via the AKC's forced command)
  # is in the shithub group and needs to source this file via the
  # /var/lib/git/git-shell-commands/shithubd wrapper. 0640 with
  # group=shithub gives exactly that and nothing more.
  template:
    src: web.env.j2
    dest: /etc/shithub/web.env
    owner: "{{ shithub_user }}"
    group: "{{ shithub_group }}"
    mode: "0640"
  notify: restart shithubd-web

- name: Worker env file (0600 — secrets)
  template:
    src: worker.env.j2
    dest: /etc/shithub/worker.env
    owner: "{{ shithub_user }}"
    group: "{{ shithub_group }}"
    mode: "0600"
  notify: restart shithubd-worker

- name: Storage check — repos root and runtime object bucket
  shell: |
    set -a
    . /etc/shithub/web.env
    set +a
    /usr/local/bin/shithubd storage check
  args:
    executable: /bin/bash
  become_user: "{{ shithub_user }}"
  changed_when: false
  when: not ansible_check_mode

- name: systemd unit — web
  copy:
    src: "{{ playbook_dir }}/../systemd/shithubd-web.service"
    dest: /etc/systemd/system/shithubd-web.service
    mode: "0644"
  notify: [daemon-reload, restart shithubd-web]

- name: systemd unit — worker
  copy:
    src: "{{ playbook_dir }}/../systemd/shithubd-worker.service"
    dest: /etc/systemd/system/shithubd-worker.service
    mode: "0644"
  notify: [daemon-reload, restart shithubd-worker]

- name: systemd unit — cron service + timer
  copy:
    src: "{{ playbook_dir }}/../systemd/{{ item }}"
    dest: "/etc/systemd/system/{{ item }}"
    mode: "0644"
  loop:
    - shithubd-cron.service
    - shithubd-cron.timer
  notify: [daemon-reload, enable shithubd-cron]

- name: sshd_config — render with AKC line for git-over-SSH
  template:
    src: "{{ playbook_dir }}/../sshd_config.j2"
    dest: /etc/ssh/sshd_config
    mode: "0644"
  notify: restart sshd

# AKC wrapper. sshd doesn't source EnvironmentFile= for AKC commands,
# so this script sources /etc/shithub/web.env (for SHITHUB_DATABASE_URL)
# before exec'ing the real shithubd ssh-authkeys.
- name: AKC wrapper — install /usr/local/bin/shithub-ssh-authkeys
  copy:
    src: shithub-ssh-authkeys
    dest: /usr/local/bin/shithub-ssh-authkeys
    mode: "0755"
    owner: root
    group: root

# git-shell-commands wrapper for the AKC's forced ssh-shell command.
# git-shell only allows its three built-in commands plus entries
# under ~git/git-shell-commands/. Symlinking the bare `shithubd`
# binary in there isn't enough — the wrapper also sources web.env so
# ssh-shell (running as the git user) can read DATABASE_URL.
- name: git-shell-commands dir
  file:
    path: /var/lib/git/git-shell-commands
    state: directory
    owner: git
    group: git
    mode: "0755"

- name: git-shell-commands shithubd wrapper
  copy:
    src: git-shell-commands-shithubd
    dest: /var/lib/git/git-shell-commands/shithubd
    owner: git
    group: git
    mode: "0755"

- name: Enable + start shithubd-web
  systemd: { name: shithubd-web, state: started, enabled: yes }

- name: Enable + start shithubd-worker
  systemd: { name: shithubd-worker, state: started, enabled: yes }