Post-Tyranny-Tech-Infrastructure/ansible/playbooks/260123-configure-diun-webhook.yml

---
# Configure Diun to use webhook notifications instead of email
# This playbook updates all servers to send container update notifications
# to a Matrix room via webhook instead of individual emails per server
#
# Usage:
#   ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml
#
# Or for specific servers:
#   ansible-playbook -i hcloud.yml playbooks/260123-configure-diun-webhook.yml --limit das,uil,vos

- name: Configure Diun webhook notifications on all servers
  hosts: all
  become: yes

  vars:
    # Diun base configuration (from role defaults)
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false

    # Schedule: Daily at 6am UTC
    diun_schedule: "0 6 * * *"

    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json

    # Disable email notifications
    diun_email_enabled: false

    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"

    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""

  pre_tasks:
    - name: Gather facts
      setup:

    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"

    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true

  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true

    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Daily at 6am UTC)

    - name: Deploy Diun configuration with webhook
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun

    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted

    - name: Wait for Diun to start
      pause:
        seconds: 5

    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false

    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"

  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted