homeserver.yml

---
- name: Configure homeserver (ucore)
  hosts: "*"
  remote_user: core
    
  pre_tasks: 
    - name: Put SELinux in permissive mode
      become: true
      ansible.posix.selinux:
        policy: targeted
        state: permissive

    - name: Crate docker stack dir
      ansible.builtin.file:
        path: /home/core/compose-files/
        state: directory

    - name: Copy secrets file
      ansible.builtin.copy:
        decrypt: true
        src: secrets.env
        dest: /home/core/compose-files

  tasks:  
    - name: enable tailscale
      become: true
      ansible.builtin.systemd_service:
          name: tailscaled
          state: started
          enabled: true

    - name: enable docker sock
      become: true
      ansible.builtin.systemd_service:
          name: docker.socket
          state: started
          enabled: true

      # docker is starting before cifs mounts
    - name: disable docker service
      become: true
      ansible.builtin.systemd_service:
          name: docker.service
          enabled: false

    - name: install and configure tailscale
      ansible.builtin.include_tasks:
        file: tasks/cifs.yml

    - name: Copy compose files
      ansible.builtin.copy:
        src: docker
        dest: /home/core/compose-files

    - name: Get rathole token
      ansible.builtin.shell:
        cat /home/core/compose-files/secrets.env | grep RATHOLE_TOKEN | sed 's/^.*RATHOLE_TOKEN=//'
      register: rathole_token
      ignore_errors: true
      changed_when: false

    - name: Replace rathole tokens with secret
      ansible.builtin.replace:
        path: /home/core/compose-files/docker/rathole/rathole.toml
        regexp: '"token"'
        replace: '"{{ rathole_token.stdout }}"'

    - name: Get crowdsec api key
      ansible.builtin.shell:
        cat /home/core/compose-files/secrets.env | grep TRAEFIK_BOUNCER_KEY | sed 's/^.*TRAEFIK_BOUNCER_KEY=//'
      register: crowdsec_token
      ignore_errors: true
      changed_when: false

    - name: Replace crowdsec api with secret
      ansible.builtin.replace:
        path: /home/core/compose-files/docker/traefik/dynamic.toml
        regexp: '"BOUNCER_KEY_TRAEFIK"'
        replace: '"{{ crowdsec_token.stdout }}"'

    - name: Get crowdsec turnstile site key
      ansible.builtin.shell:
        cat /home/core/compose-files/secrets.env | grep TURNSTILE_SITE_KEY | sed 's/^.*TURNSTILE_SITE_KEY=//'
      register: crowdsec_turnstile_site_key
      ignore_errors: true
      changed_when: false

    - name: Replace crowdsec token with site key
      ansible.builtin.replace:
        path: /home/core/compose-files/docker/traefik/dynamic.toml
        regexp: '"TURNSTILE_SITE_KEY"'
        replace: '"{{ crowdsec_turnstile_site_key.stdout }}"'

    - name: Get crowdsec turnstile secret key
      ansible.builtin.shell:
        cat /home/core/compose-files/secrets.env | grep TURNSTILE_SECRET_KEY | sed 's/^.*TURNSTILE_SECRET_KEY=//'
      register: crowdsec_turnstile_secret_key
      ignore_errors: true
      changed_when: false

    - name: Replace crowdsec token with secret key
      ansible.builtin.replace:
        path: /home/core/compose-files/docker/traefik/dynamic.toml
        regexp: '"TURNSTILE_SECRET_KEY"'
        replace: '"{{ crowdsec_turnstile_secret_key.stdout }}"'

    - name: Get cf email
      ansible.builtin.shell:
        cat /home/core/compose-files/secrets.env | grep CF_API_EMAIL | sed 's/^.*CF_API_EMAIL=//'
      register: cf_email
      ignore_errors: true
      changed_when: false

    - name: Replace cf_email with email
      ansible.builtin.replace:
        path: /home/core/compose-files/docker/traefik/static.toml
        regexp: '"email"'
        replace: '"{{ cf_email.stdout }}"'

    - name: Is core user in docker group 
      ansible.builtin.shell:
        grep 'docker' /etc/group | grep core
      register: core_in_docker
      ignore_errors: true
      changed_when: false

    - name: add core user to docker group
      when: core_in_docker.rc != 0
      become: yes
      ansible.builtin.user:
        name: "core"
        groups: docker
        append: yes

    - name: reboot if needed
      when: core_in_docker.rc != 0
      ansible.builtin.reboot:

    - name: Create 'web' network
      community.docker.docker_network:
        name: web

    - name: Create 'internal' network
      community.docker.docker_network:
        name: internal

    - name: Create acme dir
      ansible.builtin.file:
        path: /home/core/acme/
        state: "directory"
        mode: '0700'

    - name: Setup containers
      community.docker.docker_compose_v2:
        project_name: homeserver
        env_files: /home/core/compose-files/secrets.env
        project_src: ./
        files: /home/core/compose-files/docker/compose.yml
        remove_orphans: true