apps.yaml

---

- name: Deploy all apps via Podman container
  hosts: all

  vars:
    hetzner_api_key: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      39323230633062363338333539313936313161663038313634643466313239373533393138353230
      6135633165613234613363343038333130346434326232360a386364393735373361656236626362
      66653930383631643938623263363530313539616631356136616564326631393065343464373839
      3863383166386133640a363131396331313733376135306563663931646634613566376335623936
      32363061336661613163333364346530353938396538626265393261626261393466666139613839
      3061376535376533623564656237316435393130626338386565
    lynx_database_password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      64663261373034653362636365643663366530346139643436356438363439333736663933663561
      6334306234333039356366353233373564626230313430630a373766623361613363663861343863
      38326531663165646262393865303666633635653834316263316438323936663431643063306633
      3334316337366563390a363333313633326133366630386265653639616433306135376530303334
      65383564323631303033356238333664366536653330653034643636646439376534
    lynx_app_secret: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      31633735626337393239343966353963336534346361363337346432306561623634386430383137
      3665633731383337373136623637333864396665353138380a313865663932396562363638353363
      63306165636639326339353837383538393836353130333837366538613836303433343133653765
      6536663861643765650a326634376234356364616437656134343465653237303761656532643035
      35616539376565306164313631393762353039613938353633373836623431363162316461306235
      65386430333239356632336639653230346164393537343838373436303539323630333935386336
      66336363376331316138393362393238653036383364303230303837646563356531316436313065
      65643233613861333039626135326332353235326661323765346263313230656436326337633535
      6231

  tasks:
    - name: Create podman network for caddy
      containers.podman.podman_network:
        name: caddy_connect
        state: present

    - name: Create caddy directories
      ansible.builtin.file:
        path: "/data/{{ item }}"
        state: directory
      loop:
        - caddy
        - caddy/data
        - caddy/config

    - name: Copy Caddyfile
      register: caddyfile_result
      ansible.builtin.copy:
        src: Caddyfile
        dest: /data/caddy/Caddyfile

    - name: Ensure Caddy is running
      register: caddy_container_result
      containers.podman.podman_container:
        name: caddy
        image: "docker.io/caddy:2.7.6-alpine@sha256:2e1d4592f1718bb47645da5a83a846fe19094f18e6c921fdf56d174f05c63213" # yamllint disable-line
        image_strict: true
        state: started
        network:
          - caddy_connect
        publish:
          - "80:80"
          - "443:443"
          - "443:443/udp"
        volumes:
          - /data/caddy/Caddyfile:/etc/caddy/Caddyfile
          - /data/caddy/data:/data
          - /data/caddy/config:/config
          - /var/www:/srv

    - name: Reload Caddy
      when: caddyfile_result is changed and caddy_container_result is not changed # yamllint disable-line
      containers.podman.podman_container_exec:
        name: caddy
        workdir: /etc/caddy
        command: caddy reload

    - name: Create vhost directories
      ansible.builtin.file:
        path: "/var/www/{{ item }}"
        state: directory
      loop:
        - citizenalpha.de
        - citizenalpha.de/www
        - citizenalpha.de/www/htdocs

    - name: Add deploy user for website
      ansible.builtin.user:
        name: deploy-website
        state: present
        password: "!"
        shell: /usr/bin/sh
        create_home: true

    - name: Add ssh key to deploy-website
      ansible.posix.authorized_key:
        user: deploy-website
        state: present
        exclusive: true
        key: "{{ lookup('file', 'files/deploy-website.pub') }}"

    - name: Make deploy-website owner of website
      ansible.builtin.file:
        path: "/var/www/citizenalpha.de/www/htdocs"
        owner: deploy-website
        group: deploy-website

    - name: Create bind-mount for htdocs of citizenalpha.de
      ansible.builtin.mount:
        src: /var/www/citizenalpha.de/www/htdocs
        path: /home/deploy-website/htdocs
        fstype: none
        opts: bind
        state: mounted

    - name: Create podman network for chasquid
      containers.podman.podman_network:
        name: chasquid_connect
        state: present

    - name: Create casquid directories
      ansible.builtin.file:
        path: "/data/{{ item }}"
        state: directory
      loop:
        - "chasquid_conf"
        - "chasquid_conf/certs"
        - "chasquid_conf/certs/citizenalpha.de"
        - "chasquid_conf/domains"
        - "chasquid_conf/domains/citizenalpha.de"
        - "chasquid_data"
        - "lego"

    - name: Copy Chasquid config
      register: chasquid_result
      ansible.builtin.copy:
        src: chasquid.conf
        dest: /data/chasquid_conf/chasquid.conf

    - name: Copy Chasquid dkim key
      ansible.builtin.copy:
        src: chasquid_dkim_20240605.pem
        dest: "/data/chasquid_conf/domains/citizenalpha.de/dkim:20240605.pem"
        mode: 0640

    - name: Copy Chasquid user db
      ansible.builtin.copy:
        src: chasquid_citizenalpha_de_user_db
        dest: /data/chasquid_conf/domains/citizenalpha.de/users
        mode: 0640

    - name: Check presence of chasquid certificate
      ansible.builtin.stat:
        path: /data/lego/certificates/citizenalpha.de.crt
      register: chasquid_cert_result

    - name: Create chasquid certificate
      when: not chasquid_cert_result.stat.exists
      register: lego_result
      containers.podman.podman_container:
        name: lego
        image: docker.io/goacme/lego:latest
        command:
          - --email
          - hallo@citizenalpha.de
          - --accept-tos
          - --dns
          - hetzner
          - -d
          - citizenalpha.de
          - run
        state: started
        env:
          HETZNER_API_KEY: "{{ hetzner_api_key }}"
        volumes:
          - "/data/lego:/.lego"

    - name: Copy chasquid certificate
      when: lego_result is changed
      ansible.builtin.copy:
        remote_src: /data/lego/certificates/citizenalpha.de.crt
        dest: /data/chasquid_conf/certs/citizenalpha.de/fullchain.pem
        mode: 0600

    - name: Copy chasquid certificate key
      when: lego_result is changed
      ansible.builtin.copy:
        remote_src: /data/lego/certificates/citizenalpha.de.key
        dest: /data/chasquid_conf/certs/citizenalpha.de/privkey.pem
        mode: 0600

    - name: Ensure Chasquid is running
      register: chasquid_container_result
      containers.podman.podman_container:
        name: chasquid
        image: "ghcr.io/citizenalpha-project/chasquid:latest"
        image_strict: true
        state: started
        network:
          - chasquid_connect
        volumes:
          - "/data/chasquid_data:/var/lib/chasquid"
          - "/data/chasquid_conf:/etc/chasquid"

    - name: Restart Chasquid
      when: chasquid_result is changed and chasquid_container_result is not changed # yamllint disable-line
      containers.podman.podman_container_exec:
        name: chasquid
        force_restart: true

    - name: Create offen directories
      ansible.builtin.file:
        path: "/data/offen"
        state: directory

    - name: Create offen directories 2
      ansible.builtin.file:
        path: "/data/offen/data"
        state: directory
        owner: 10000
        group: 10001

    - name: Copy Offen env file
      register: offen_env_result
      ansible.builtin.copy:
        src: offen.env
        dest: /data/offen/offen.env
        mode: 0600

    - name: Ensure Offen is running
      register: offen_container_result
      containers.podman.podman_container:
        name: offen
        image: "docker.io/offen/offen:v1.4.2@sha256:4a69f8cbcdbff26505e728ad803a9b8ff6752bd10330749633bc507276e52c5d" # yamllint disable-line
        image_strict: true
        state: started
        env_file:
          - /data/offen/offen.env
        network:
          - caddy_connect
          - chasquid_connect
        volumes:
          - "/data/offen/data:/var/opt/offen"

    - name: Restart Offen
      when: offen_env_result is changed and offen_container_result is not changed # yamllint disable-line
      containers.podman.podman_container:
        name: offen
        state: started
        force_restart: true

    - name: Create Lynx directories
      ansible.builtin.file:
        path: "/data/lynxdb"
        state: directory

    - name: Create Lynx network
      containers.podman.podman_network:
        name: lynx_connect
        state: present

    - name: Create Lynx database
      containers.podman.podman_container:
        name: lynxdb
        image: "docker.io/postgres:16.3-alpine@sha256:d037653693c4168efbb95cdc1db705d31278a4a8d608d133eca1f07af9793960" # yamllint disable-line
        image_strict: true
        state: started
        network:
          - lynx_connect
        env:
          POSTGRES_USER: lynx
          POSTGRES_PASSWORD: "{{ lynx_database_password }}"
          POSTGRES_DB: lynx
        volumes:
          - "/data/lynxdb:/var/lib/postgresql/data"

    - name: Ensure Lynx is running
      register: lynx_container_result
      containers.podman.podman_container:
        name: lynx
        image: "docker.io/clivern/lynx:0.11.9@sha256:42fb8ad273d2e2eb09961fdfd4b9cfca00aea59a4a6877a2682537f3308087cc" # yamllint disable-line
        image_strict: true
        command:
          - "sh"
          - "-c"
          - "/app/bin/migrate && /app/bin/server"
        state: started
        env:
          APP_NAME: Lynx
          APP_PORT: 4000
          APP_SECRET: "{{ lynx_app_secret }}"
          APP_HOST: localhost
          APP_HTTP_SCHEMA: http
          DB_USERNAME: lynx
          DB_PASSWORD: "{{ lynx_database_password }}"
          DB_HOSTNAME: lynxdb
          DB_DATABASE: lynx
          DB_PORT: 5432
          DB_SSL: null
          DB_CA_CERTFILE_PATH: null
          MIX_ENV: prod
        network:
          - caddy_connect
          - chasquid_connect
          - lynx_connect