---
# Deploy applications to client servers
# This playbook deploys Authentik, Nextcloud, and other applications

- name: Deploy applications to client servers
  hosts: all
  become: yes

  pre_tasks:
    - name: Gather facts
      setup:

    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"

    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_key: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Set client domain from secrets
      set_fact:
        client_domain: "{{ client_secrets.client_domain }}"
      when: client_secrets.client_domain is defined

    - name: Set Authentik domain from secrets
      set_fact:
        authentik_domain: "{{ client_secrets.authentik_domain }}"
      when: client_secrets.authentik_domain is defined

  roles:
    - role: authentik
    - role: nextcloud

  post_tasks:
    - name: Display deployment summary
      debug:
        msg: |
          Deployment complete for client: {{ client_name }}

          Authentik SSO: https://{{ authentik_domain }}
          Nextcloud: https://nextcloud.{{ client_domain }}

          Next steps:
          1. Complete Authentik initial setup at: https://{{ authentik_domain }}/if/flow/initial-setup/
          2. Create OAuth2/OIDC provider for Nextcloud in Authentik
          3. Configure Nextcloud to use Authentik for SSO