---
# tasks file for traefik

- name: Ensure systemd docker.service.d directory exists
  file:
    path: "/etc/systemd/system/docker.service.d/"
    state: directory
    owner: root
    group: root
    mode: '0755'
  tags: firewall
  
- name: Provide systemd config to disable Docker's tampering with the firewall
  copy:
    dest: /etc/systemd/system/docker.service.d/noiptables.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      [Service]
      ExecStart=
      ExecStart=/usr/bin/dockerd -H fd:// --iptables=false
  tags: firewall
  register: docker_restart_required

- name: Restart docker service to pickup config changes
  systemd:
    name: docker
    daemon_reload: yes
    state: restarted
  become: true
  when: docker_restart_required.changed
  tags: firewall

- name: Ensure traefik config directory exists
  file:
    path: /home/{{ docker_user }}/traefik
    state: directory
    owner: '{{ docker_user }}'
    group: '{{ docker_user }}'
  tags: config

- name: Ensure traefik rules directory exists
  file:
    path: /home/{{ docker_user }}/traefik/rules
    state: directory
    owner: '{{ docker_user }}'
    group: '{{ docker_user }}'
  tags: config

- name: Provide TLS default options
  template:
    src: templates/t2-rules-tls-options.toml.j2
    dest: /home/{{ docker_user }}/traefik/rules/tls-options.toml
    owner: "{{ docker_user }}"
    group: "{{ docker_user }}"
    mode: '0644'
  tags: config

- name: Provide docker-compose.yml
  template:
    src: templates/docker-compose.traefik.yml.j2
    dest: /home/{{ docker_user }}/traefik/docker-compose.yml
    owner: "{{ docker_user }}"
    group: "{{ docker_user }}"
    mode: '0644'
  tags: config

- name: Provide traefik.toml
  template:
    src: templates/traefik.toml.j2
    dest: /home/{{ docker_user }}/traefik/traefik.toml
    owner: "{{ docker_user }}"
    group: "{{ docker_user }}"
    mode: '0644'
  tags: config

- name: Configure SSL
  copy:
    content: ""
    force: no
    dest: /home/{{ docker_user }}/traefik/acme.json
    mode: 0600
  tags: config

- name: "docker-compose: Teardown existing Traefik service (only removes the containers)"
  docker_compose:
    project_src: "/home/{{ docker_user }}/traefik/"
    state: absent
  tags: ['never', 'teardown']

- name: "docker-compose: Start Traefik service"
  docker_compose:
    project_src: "/home/{{ docker_user }}/traefik/"
  register: output
  tags: service_start

- debug:
    var: output

- name: "Waiting for Traefik service (443/TLS) to become available"
  become: false
  wait_for:
    host: "{{ ansible_ssh_host }}"
    port: 443
  delegate_to: localhost