#SPDX-License-Identifier: MIT-0
---
# tasks file for traefik

- name: Create systemd user directory
  ansible.builtin.file:
    path: ~/.config/systemd/user
    state: directory
    mode: "0755"

- name: Create podman quadlet directory
  ansible.builtin.file:
    path: ~/.config/containers/systemd
    state: directory
    mode: "0755"

- name: Create acme file
  ansible.builtin.file:
    path: "~/{{ infra_acme.storage }}"
    state: file
    mode: "0600"

- name: Setup local socket for traefik
  ansible.builtin.systemd_service:
    name: podman.socket
    state: started
    enabled: true
    scope: user

- name: Stop legacy generated traefik service
  ansible.builtin.systemd_service:
    name: container-traefik.service
    state: stopped
    enabled: false
    scope: user
  failed_when: false

- name: Remove legacy generated traefik service
  ansible.builtin.file:
    path: ~/.config/systemd/user/container-traefik.service
    state: absent

- name: Install traefik http socket
  ansible.builtin.copy:
    dest: ~/.config/systemd/user/http.socket
    mode: "0644"
    content: |
      [Socket]
      ListenStream=80
      FileDescriptorName=http
      Service=traefik.service

      [Install]
      WantedBy=sockets.target

- name: Install traefik https socket
  ansible.builtin.copy:
    dest: ~/.config/systemd/user/https.socket
    mode: "0644"
    content: |
      [Socket]
      ListenStream=443
      FileDescriptorName=https
      Service=traefik.service

      [Install]
      WantedBy=sockets.target

- name: Install traefik quadlet
  ansible.builtin.copy:
    dest: ~/.config/containers/systemd/traefik.container
    mode: "0644"
    content: |
      [Unit]
      After=podman.socket http.socket https.socket
      Requires=podman.socket http.socket https.socket

      [Service]
      Sockets=http.socket https.socket
      Restart=always

      [Container]
      ContainerName=traefik
      Image=docker.io/library/traefik:latest
      Exec=--api.dashboard=true --api.insecure=true --certificatesresolvers.lets-encrypt.acme.email={{ infra_acme.email }} --certificatesresolvers.lets-encrypt.acme.storage=/{{ infra_acme.storage }} --certificatesresolvers.lets-encrypt.acme.tlschallenge=true --entrypoints.http --entrypoints.http.http.redirections.entryPoint.to=https --entrypoints.http.http.redirections.entryPoint.scheme=https --entrypoints.https --providers.docker=true
      Network=podman
      Notify=true
      PublishPort=8080:8080
      SecurityLabelDisable=true
      Volume=%t/podman/podman.sock:/var/run/docker.sock
      Volume=%h/{{ infra_acme.storage }}:/{{ infra_acme.storage }}:Z

- name: Reload systemd user units
  ansible.builtin.systemd_service:
    daemon_reload: true
    scope: user

- name: Activate traefik sockets
  ansible.builtin.systemd_service:
    name: "{{ item }}"
    state: started
    enabled: true
    scope: user
  loop:
    - http.socket
    - https.socket

- name: Activate traefik service
  ansible.builtin.systemd_service:
    name: traefik.service
    state: started
    scope: user