---
# Configure Diun to disable watchRepo and add Docker Hub authentication
# This playbook updates all servers to:
# - Only watch specific image tags (not entire repositories) to reduce API calls
# - Add Docker Hub authentication for higher rate limits
#
# Background:
# - watchRepo: true checks ALL tags in a repository (hundreds of API calls)
# - watchRepo: false only checks the specific tag being used (1-2 API calls)
# - Docker Hub auth increases rate limit from 100 to 5000 pulls per 6 hours
#
# Usage:
#   cd ansible/
#   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
#     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml
#
# Or for specific servers:
#   SOPS_AGE_KEY_FILE="../keys/age-key.txt" HCLOUD_TOKEN="..." \
#     ansible-playbook -i hcloud.yml playbooks/260124-configure-diun-watchrepo.yml \
#     --limit das,uil,vos --private-key "../keys/ssh/das"

- name: Configure Diun watchRepo and Docker Hub authentication
  hosts: all
  become: yes

  vars:
    # Diun base configuration
    diun_version: "latest"
    diun_log_level: "info"
    diun_watch_workers: 10
    diun_watch_all: true
    diun_exclude_containers: []
    diun_first_check_notif: false

    # Schedule: Weekly on Monday at 6am UTC (to reduce API calls)
    diun_schedule: "0 6 * * 1"

    # Disable watchRepo - only check the specific tags we're using
    diun_watch_repo: false

    # Webhook configuration - sends to Matrix via custom webhook
    diun_notif_enabled: true
    diun_notif_type: webhook
    diun_webhook_endpoint: "https://diun-webhook.postxsociety.cloud"
    diun_webhook_method: POST
    diun_webhook_headers:
      Content-Type: application/json

    # Disable email notifications
    diun_email_enabled: false

    # SMTP defaults (not used when email disabled, but needed for template)
    diun_smtp_host: "smtp.eu.mailgun.org"
    diun_smtp_port: 587
    diun_smtp_from: "{{ client_name }}@mg.vrije.cloud"
    diun_smtp_to: "pieter@postxsociety.org"

    # Optional notification defaults (unused but needed for template)
    diun_slack_webhook_url: ""
    diun_matrix_enabled: false
    diun_matrix_homeserver_url: ""
    diun_matrix_user: ""
    diun_matrix_password: ""
    diun_matrix_room_id: ""

  pre_tasks:
    - name: Gather facts
      setup:

    - name: Determine client name from hostname
      set_fact:
        client_name: "{{ inventory_hostname }}"

    - name: Load client secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/clients/{{ client_name }}.sops.yaml"
        name: client_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Load shared secrets
      community.sops.load_vars:
        file: "{{ playbook_dir }}/../../secrets/shared.sops.yaml"
        name: shared_secrets
        age_keyfile: "{{ lookup('env', 'SOPS_AGE_KEY_FILE') }}"
      no_log: true

    - name: Merge shared secrets into client_secrets
      set_fact:
        client_secrets: "{{ client_secrets | combine(shared_secrets) }}"
      no_log: true

  tasks:
    - name: Set SMTP credentials (required by template even if unused)
      set_fact:
        diun_smtp_username_final: "{{ client_secrets.mailgun_smtp_user | default('') }}"
        diun_smtp_password_final: ""
      no_log: true

    - name: Set Docker Hub credentials for higher rate limits
      set_fact:
        diun_docker_hub_username: "{{ client_secrets.docker_hub_username }}"
        diun_docker_hub_password: "{{ client_secrets.docker_hub_password }}"
      no_log: true

    - name: Display configuration summary
      debug:
        msg: |
          Configuring Diun on {{ inventory_hostname }}:
          - Webhook endpoint: {{ diun_webhook_endpoint }}
          - Email notifications: {{ 'enabled' if diun_email_enabled else 'disabled' }}
          - Schedule: {{ diun_schedule }} (Weekly on Monday at 6am UTC)
          - Watch entire repositories: {{ 'yes' if diun_watch_repo else 'no (only specific tags)' }}
          - Docker Hub auth: {{ 'enabled' if diun_docker_hub_username else 'disabled' }}

    - name: Deploy Diun configuration with watchRepo disabled and Docker Hub auth
      template:
        src: "{{ playbook_dir }}/../roles/diun/templates/diun.yml.j2"
        dest: /opt/docker/diun/diun.yml
        mode: '0644'
      notify: Restart Diun

    - name: Restart Diun to apply new configuration
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted

    - name: Wait for Diun to start
      pause:
        seconds: 5

    - name: Check Diun status
      shell: docker ps --filter name=diun --format "{{ '{{' }}.Status{{ '}}' }}"
      register: diun_status
      changed_when: false

    - name: Display Diun status
      debug:
        msg: "Diun status on {{ inventory_hostname }}: {{ diun_status.stdout }}"

    - name: Verify Diun configuration
      shell: docker exec diun cat /diun.yml | grep -E "(watchRepo|regopts)" || echo "Config deployed"
      register: diun_config_check
      changed_when: false

    - name: Display configuration verification
      debug:
        msg: |
          Configuration applied on {{ inventory_hostname }}:
          {{ diun_config_check.stdout }}

  handlers:
    - name: Restart Diun
      community.docker.docker_compose_v2:
        project_src: /opt/docker/diun
        state: restarted