---
# Deploy applications to client servers
# This playbook deploys Authentik, Nextcloud, and other applications

- name: Deploy applications to client servers
  hosts: all
  become: yes

  pre_tasks:
    - name: Gather facts
      setup:

    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"

    - name: Check if base infrastructure is installed
      stat:
        path: /opt/docker/traefik/docker-compose.yml
      register: traefik_compose

    - name: Fail if base infrastructure is not installed
      fail:
        msg: |
          ❌ ERROR: Base infrastructure not installed!

          Traefik reverse proxy is required but not found.

          You must run the setup playbook BEFORE deploying applications:
            ansible-playbook -i hcloud.yml playbooks/setup.yml --limit {{ client_name }}

          Or use the rebuild script which handles the correct order automatically:
            ./scripts/rebuild-client.sh {{ client_name }}
      when: not traefik_compose.stat.exists

    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Load shared secrets (Mailgun API key, etc.)
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true

    - name: Set client domain from secrets
      set_fact:
        client_domain: "{{ client_secrets.client_domain }}"
      when: client_secrets.client_domain is defined

    - name: Set Authentik domain from secrets
      set_fact:
        authentik_domain: "{{ client_secrets.authentik_domain }}"
      when: client_secrets.authentik_domain is defined

  roles:
    - role: mailgun
    - role: authentik
    - role: nextcloud
    - role: diun
      tags: diun
    - role: kuma
      tags: kuma

  post_tasks:
    - name: Display deployment summary
      debug:
        msg: |
          ============================================================
          🎉 Deployment complete for client: {{ client_name }}
          ============================================================

          Services deployed and configured:
          ✓ Authentik SSO: https://{{ authentik_domain }}
          ✓ Nextcloud: https://nextcloud.{{ client_domain }}
          ✓ SSO Integration: Fully automated (OAuth2/OIDC)

          Authentik Admin Access:
          - Username: akadmin
          - Password: {{ client_secrets.authentik_bootstrap_password }}
          - API Token: Configured automatically

          Nextcloud Admin Access:
          - Username: {{ client_secrets.nextcloud_admin_user }}
          - Password: {{ client_secrets.nextcloud_admin_password }}

          End User Access:
          1. Create users in Authentik: https://{{ authentik_domain }}
          2. Users login to Nextcloud via "Login with Authentik" button
          3. First login creates linked Nextcloud account automatically

          ============================================================
          Ready to use! No manual configuration required.
          ============================================================