- name: Deploy Vaultwarden with Docker Compose and configure Caddy reverse proxy
  hosts: vipy
  become: yes
  vars_files:
    - ../../infra_vars.yml
    - ./vaultwarden_vars.yml
  vars:
    vaultwarden_domain: "{{ vaultwarden_subdomain }}.{{ root_domain }}"

  tasks:
    - name: Create vaultwarden directory
      file:
        path: "{{ vaultwarden_dir }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: '0755'

    - name: Create docker-compose.yml for vaultwarden
      copy:
        dest: "{{ vaultwarden_dir }}/docker-compose.yml"
        content: |
          version: "3"
          services:
            vaultwarden:
              image: vaultwarden/server:latest
              container_name: vaultwarden
              restart: unless-stopped
              ports:
                - "{{ vaultwarden_port }}:80"
              volumes:
                - ./data:/data
              environment:
                WEBSOCKET_ENABLED: 'true'
                DOMAIN: "https://{{ vaultwarden_domain }}"
                SIGNUPS_ALLOWED: 'true'
                LOG_FILE: /data/vaultwarden.log

    - name: Deploy vaultwarden container with docker compose
      command: docker compose up -d
      args:
        chdir: "{{ vaultwarden_dir }}"

    - name: Create Fail2Ban filter for Vaultwarden
      copy:
        dest: /etc/fail2ban/filter.d/vaultwarden.local
        owner: root
        group: root
        mode: '0644'
        content: |
          [INCLUDES]
          before = common.conf

          [Definition]
          failregex = ^.*?Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
          ignoreregex =

    - name: Create Fail2Ban jail for Vaultwarden
      copy:
        dest: /etc/fail2ban/jail.d/vaultwarden.local
        owner: root
        group: root
        mode: '0644'
        content: |
          [vaultwarden]
          enabled = true
          port = http,https
          filter = vaultwarden
          logpath = {{ vaultwarden_data_dir }}/vaultwarden.log
          maxretry = 10
          findtime = 10m
          bantime = 1h

    - name: Restart fail2ban to apply changes
      systemd:
        name: fail2ban
        state: restarted

    - name: Ensure Caddy sites-enabled directory exists
      file:
        path: "{{ caddy_sites_dir }}"
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Ensure Caddyfile includes import directive for sites-enabled
      lineinfile:
        path: /etc/caddy/Caddyfile
        line: 'import sites-enabled/*'
        insertafter: EOF
        state: present
        backup: yes

    - name: Create Caddy reverse proxy configuration for vaultwarden
      copy:
        dest: "{{ caddy_sites_dir }}/vaultwarden.conf"
        content: |
          {{ vaultwarden_domain }} {
              reverse_proxy localhost:{{ vaultwarden_port }}
          }
        owner: root
        group: root
        mode: '0644'

    - name: Reload Caddy to apply new config
      command: systemctl reload caddy