---
- name: Deploy .env file
  ansible.builtin.template:
    src: env.j2
    dest: "{{ services_root }}/.env"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0600"
  notify: Restart stack


- name: Deploy docker-compose.yml
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ services_root }}/docker-compose.yml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0644"
  notify: Restart stack

- name: Deploy Traefik static config
  ansible.builtin.template:
    src: traefik/traefik.yml.j2
    dest: "{{ services_root }}/traefik/traefik.yml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0644"
  notify: Restart stack

- name: Deploy Traefik dynamic routes
  ansible.builtin.template:
    src: traefik/dynamic/routes.yml.j2
    dest: "{{ services_root }}/traefik/dynamic/routes.yml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0644"
  notify: Restart stack

- name: Deploy act_runner config
  ansible.builtin.template:
    src: act_runner_config.yaml.j2
    dest: "{{ services_root }}/act_runner/config.yaml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0644"
  notify: Restart stack

- name: Configure CORS on walava-docmost S3 bucket (required for browser uploads)
  ansible.builtin.shell: |
    docker run --rm \
      -e AWS_ACCESS_KEY_ID={{ s3_access_key }} \
      -e AWS_SECRET_ACCESS_KEY={{ s3_secret_key }} \
      -e AWS_DEFAULT_REGION=ru-1 \
      amazon/aws-cli:latest \
      --endpoint-url https://s3.twcstorage.ru \
      s3api put-bucket-cors \
      --bucket walava-docmost \
      --cors-configuration '{"CORSRules":[{"AllowedOrigins":["https://{{ domain_wiki }}"],"AllowedMethods":["GET","PUT","POST","DELETE","HEAD"],"AllowedHeaders":["*"],"ExposeHeaders":["ETag"],"MaxAgeSeconds":3000}]}'
  changed_when: false
  ignore_errors: true

- name: Deploy Promtail config
  ansible.builtin.template:
    src: loki/promtail.yml.j2
    dest: "{{ services_root }}/loki/promtail.yml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0644"
  notify: Restart stack

- name: Deploy CrowdSec acquisition config
  ansible.builtin.template:
    src: crowdsec/acquis.yaml.j2
    dest: "{{ services_root }}/crowdsec/acquis.yaml"
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0644"
  notify: Restart stack

- name: Deploy Traefik logrotate config
  ansible.builtin.template:
    src: logrotate/traefik.j2
    dest: /etc/logrotate.d/traefik
    owner: root
    group: root
    mode: "0644"

- name: Create acme.json for Let's Encrypt certificates
  ansible.builtin.file:
    path: "{{ services_root }}/traefik/acme.json"
    state: touch
    owner: "{{ deploy_user }}"
    group: "{{ deploy_group }}"
    mode: "0600"
    modification_time: preserve
    access_time: preserve