---
# OIDC Application creation tasks via Zitadel API
# Fully automated OIDC app provisioning for Nextcloud and other services

- name: Create Zitadel scripts directory
  file:
    path: /opt/zitadel
    state: directory
    mode: '0755'

- name: Copy OIDC automation scripts to server
  copy:
    src: "{{ item }}"
    dest: "/opt/zitadel/{{ item }}"
    mode: '0755'
  loop:
    - zitadel_api.py

- name: Install Python libraries for OIDC automation
  package:
    name:
      - python3-requests
      - python3-jwt
    state: present
  become: yes

- name: Check if JWT key file exists
  shell: docker exec zitadel ls /machinekey/api-automation.json
  register: jwt_key_check
  failed_when: false
  changed_when: false

- name: Set JWT authentication available
  set_fact:
    jwt_auth_available: "{{ jwt_key_check.rc == 0 }}"

- name: Copy JWT key from container to host
  shell: docker cp zitadel:/machinekey/api-automation.json /tmp/api-automation.json
  when: jwt_auth_available
  changed_when: false

- name: Create OIDC application for Nextcloud using JWT auth
  shell: |
    python3 /opt/zitadel/zitadel_api.py \
      "{{ zitadel_domain }}" \
      "/tmp/api-automation.json" \
      "Nextcloud" \
      "https://nextcloud.{{ client_domain }}/apps/user_oidc/code"
  register: oidc_app_result
  when: jwt_auth_available
  changed_when: "'created' in oidc_app_result.stdout"
  failed_when: oidc_app_result.rc != 0

- name: Clean up temporary JWT key file
  file:
    path: /tmp/api-automation.json
    state: absent
  when: jwt_auth_available

- name: Parse OIDC app creation result
  set_fact:
    oidc_app_data: "{{ oidc_app_result.stdout | from_json }}"
  when: jwt_auth_available and oidc_app_result is defined

- name: Display OIDC app status
  debug:
    msg: |
      ✅ Nextcloud OIDC Application: {{ oidc_app_data.status }}
      Client ID: {{ oidc_app_data.client_id | default('N/A') }}
      Redirect URI: {{ oidc_app_data.redirect_uri | default('N/A') }}
  when: jwt_auth_available and oidc_app_data is defined

- name: Save OIDC credentials for Nextcloud configuration
  set_fact:
    nextcloud_oidc_client_id: "{{ oidc_app_data.client_id }}"
    nextcloud_oidc_client_secret: "{{ oidc_app_data.client_secret }}"
  when: jwt_auth_available and oidc_app_data is defined and oidc_app_data.status == 'created'
  no_log: true

- name: Configure OIDC provider in Nextcloud
  shell: |
    docker exec -u www-data nextcloud php occ user_oidc:provider:add \
      --clientid="{{ nextcloud_oidc_client_id }}" \
      --clientsecret="{{ nextcloud_oidc_client_secret }}" \
      --discoveryuri="https://{{ zitadel_domain }}/.well-known/openid-configuration" \
      "Zitadel" || true
  when: jwt_auth_available and nextcloud_oidc_client_id is defined and nextcloud_oidc_client_secret is defined
  register: oidc_config_result
  changed_when: "'Provider Zitadel has been created' in oidc_config_result.stdout"

- name: Display OIDC configuration result
  debug:
    msg: |
      ✅ Nextcloud OIDC Provider Configuration: {{ 'Success' if oidc_config_result.changed else 'Already configured' }}

      Users can now login to Nextcloud using Zitadel SSO!
      Visit: https://nextcloud.{{ client_domain }}
  when: jwt_auth_available and oidc_config_result is defined

- name: OIDC automation not available
  debug:
    msg: |
      ⚠️  OIDC automation not available - JWT key not found.

      This should not happen if FirstInstance completed successfully.
      Check Zitadel logs: docker logs zitadel
  when: not jwt_auth_available