- name: Deploy ntfy and configure Caddy reverse proxy
  hosts: watchtower
  become: yes
  vars_files:
    - ../../infra_vars.yml
    - ./ntfy_vars.yml
  vars:
    ntfy_domain: "{{ ntfy_subdomain }}.{{ root_domain }}"

  tasks:
    - name: Ensure /etc/apt/keyrings exists
      file:
        path: /etc/apt/keyrings
        state: directory
        mode: '0755'

    - name: Download and dearmor ntfy GPG key
      shell: curl -fsSL https://archive.heckel.io/apt/pubkey.txt | gpg --dearmor -o /etc/apt/keyrings/archive.heckel.io.gpg
      args:
        creates: /etc/apt/keyrings/archive.heckel.io.gpg

    - name: Add ntfy APT repository
      copy:
        dest: /etc/apt/sources.list.d/archive.heckel.io.list
        content: |
          deb [arch=amd64 signed-by=/etc/apt/keyrings/archive.heckel.io.gpg] https://archive.heckel.io/apt debian main
        mode: '0644'

    - name: Update APT cache
      apt:
        update_cache: yes

    - name: Install ntfy
      apt:
        name: ntfy
        state: present

    - name: Ensure ntfy cache directories exist
      file:
        path: "{{ item }}"
        state: directory
        owner: ntfy
        group: ntfy
        mode: '0755'
      loop:
        - /var/cache/ntfy
        - /var/cache/ntfy/attachments

    - name: Deploy ntfy configuration file
      copy:
        dest: /etc/ntfy/server.yml
        content: |
          base-url: "http://{{ ntfy_domain }}"
          listen-http: ":{{ ntfy_port }}"
          cache-file: "/var/cache/ntfy/cache.db"
          attachment-cache-dir: "/var/cache/ntfy/attachments"
          behind-proxy: true
          auth-file: "/var/lib/ntfy/user.db"
          auth-default-access: "deny-all"
        owner: root
        group: root
        mode: '0644'
      notify: Restart ntfy

    - name: Enable and start ntfy service
      systemd:
        name: ntfy
        enabled: yes
        state: started
    
    - name: Create ntfy admin user
      shell: |
        (echo "{{ lookup('env', 'NTFY_PASSWORD') }}"; echo "{{ lookup('env', 'NTFY_PASSWORD') }}") | ntfy user add --role=admin "{{ lookup('env', 'NTFY_USER') }}"

    - name: Ensure Caddy sites-enabled directory exists
      file:
        path: "{{ caddy_sites_dir }}"
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Ensure Caddyfile includes import directive for sites-enabled
      lineinfile:
        path: /etc/caddy/Caddyfile
        line: 'import sites-enabled/*'
        insertafter: EOF
        state: present
        backup: yes

    - name: Create Caddy reverse proxy configuration for ntfy
      copy:
        dest: "{{ caddy_sites_dir }}/ntfy.conf"
        content: |
          {{ ntfy_domain }}, http://{{ ntfy_domain }} {
              reverse_proxy 127.0.0.1:{{ ntfy_port }}

              @httpget {
                  protocol http
                  method GET
                  path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
              }
              redir @httpget https://{host}{uri}
          }
        owner: root
        group: root
        mode: '0644'

    - name: Reload Caddy to apply new config
      command: systemctl reload caddy

  handlers:
    - name: Restart ntfy
      systemd:
        name: ntfy
        state: restarted