- name: Ensure docker-compose directory exists
  file:
    state: directory
    path: /etc/keycloak-docker

- name: Write settings file
  template:
    src: docker-compose.yaml.j2
    dest: /etc/keycloak-docker/docker-compose.yaml
    owner: root
    group: root
    mode: "0600"
  notify: keycloak restart containers

# This deliberately does not set owner/group/mode, as the mariadb container
# chowns this directory to be owned by a container-internal user and drops
# root privileges.  We don't want to reset this from outside the container.
- name: Ensure data directory exists
  file:
    state: directory
    path: /var/lib/keycloak/db

- name: Copy our MariaDB config stub overriding bind-address
  copy:
    src: 99-bind-address.cnf
    dest: /var/lib/keycloak/99-bind-address.cnf
    owner: root
    group: root
    mode: "0644"
  notify: keycloak restart containers

- name: Install apache2
  apt:
    name:
      - apache2
      - apache2-utils
    state: present

- name: Apache modules
  apache2_module:
    state: present
    name: "{{ item }}"
  loop:
    - rewrite
    - proxy
    - proxy_http
    - ssl
    - headers
    - proxy_wstunnel
  notify: keycloak restart apache2

- name: Copy apache config
  template:
    src: keycloak.vhost.j2
    dest: /etc/apache2/sites-enabled/000-default.conf
    owner: root
    group: root
    mode: 0644
  notify: keycloak reload apache2

- name: Run docker-compose pull
  shell:
    cmd: docker-compose pull
    chdir: /etc/keycloak-docker/

- name: Run docker-compose up
  shell:
    cmd: docker-compose up -d
    chdir: /etc/keycloak-docker/
  register: keycloak_dcup

- name: Wait for keycloak to start
  wait_for:
    host: "::1"
    port: 8080
    timeout: 300

- name: Run docker prune to cleanup unneeded images
  shell:
    cmd: docker image prune -f

#### Database Backups ####

- name: Create db backup dest
  file:
    state: directory
    path: /var/backups/keycloak-mariadb
    mode: 0700
    owner: root
    group: root

- name: Set up cron job to backup the database
  cron:
    name: keycloak-db-backup
    state: present
    user: root
    job: >
      /usr/local/bin/docker-compose -f /etc/keycloak-docker/docker-compose.yaml exec -T mariadb
      bash -c '/usr/bin/mysqldump --opt --databases keycloak --single-transaction -uroot -p"$MARIADB_ROOT_PASSWORD"' |
      gzip -9 > /var/backups/keycloak-mariadb/keycloak-mariadb.sql.gz
    minute: 14
    hour: 5

- name: Rotate db backups
  include_role:
    name: logrotate
  vars:
    logrotate_file_name: /var/backups/keycloak-mariadb/keycloak-mariadb.sql.gz
    logrotate_compress: false

- name: Setup db backup streaming job
  block:
    - name: Create backup streaming config dir
      file:
        path: /etc/borg-streams
        state: directory

    - name: Create db streaming file
      copy:
        content: >-
            /usr/local/bin/docker-compose -f /etc/keycloak-docker/docker-compose.yaml exec -T mariadb
            bash -c '/usr/bin/mysqldump --skip-extended-insert --databases keycloak --single-transaction -uroot -p"$MARIADB_ROOT_PASSWORD"'
        dest: /etc/borg-streams/mysql