- name: Install and configure Caddy on Debian 12
  hosts: vipy
  become: yes

  tasks:
    - name: Install required packages
      apt:
        name:
          - debian-keyring
          - debian-archive-keyring
          - apt-transport-https
          - curl
        state: present
        update_cache: yes

    - name: Download Caddy GPG armored key
      ansible.builtin.get_url:
        url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
        dest: /tmp/caddy-stable-archive-keyring.asc
        mode: '0644'

    - name: Convert ASCII armored key to binary keyring
      ansible.builtin.command:
        cmd: gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg /tmp/caddy-stable-archive-keyring.asc
      args:
        creates: /usr/share/keyrings/caddy-stable-archive-keyring.gpg

    - name: Ensure permissions on keyring file
      ansible.builtin.file:
        path: /usr/share/keyrings/caddy-stable-archive-keyring.gpg
        owner: root
        group: root
        mode: '0644'

    - name: Add Caddy repository list file
      ansible.builtin.get_url:
        url: https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt
        dest: /etc/apt/sources.list.d/caddy-stable.list
        mode: '0644'
        validate_certs: yes

    - name: Update apt cache after adding repo
      apt:
        update_cache: yes

    - name: Install Caddy
      apt:
        name: caddy
        state: present

    - name: Ensure Caddy service is enabled and started
      systemd:
        name: caddy
        enabled: yes
        state: started

    - name: Allow HTTP through UFW
      ufw:
        rule: allow
        port: '80'
        proto: tcp

    - name: Allow HTTPS through UFW
      ufw:
        rule: allow
        port: '443'
        proto: tcp