- name: Allow HTTP traffic
  ufw:
    rule: allow
    port: 80
    proto: tcp

- name: Allow HTTPS traffic
  ufw:
    rule: allow
    port: 443
    proto: tcp

- name: Allow HTTPS/QUIC (HTTP/3) traffic
  ufw:
    rule: allow
    port: 443
    proto: udp

- name: Create Caddy directories
  file:
    path: "/srv/caddy/{{ item }}"
    state: directory
    owner: root
    group: docker
    mode: "0755"
  loop:
    - ""
    - data
    - config
    - sites

- name: Create site roots
  file:
    path: "/srv/caddy/sites/{{ item }}"
    state: directory
    owner: root
    group: docker
    mode: "0775" # also allow members of the docker group to write
  loop: "{{ caddy_sites }}"

- name: Deploy default landing page for empty sites
  template:
    src: index.html.j2
    dest: "/srv/caddy/sites/{{ item }}/index.html"
    owner: root
    group: docker
    mode: "0644"
    force: false  # never overwrite real content
  loop: "{{ caddy_sites }}"

- name: Install Caddyfile
  template:
    src: Caddyfile.j2
    dest: /srv/caddy/Caddyfile
    owner: root
    group: docker
    mode: "0644"
  notify: Restart Caddy
  tags: config

- name: Check for cached goaccess hash
  ansible.builtin.stat:
    path: /srv/caddy/.goaccess_hash
  register: _goaccess_hash_stat
  when: enable_goaccess | default(true)

- name: Read goaccess hash from cache
  ansible.builtin.slurp:
    src: /srv/caddy/.goaccess_hash
  register: _goaccess_hash_file
  when: enable_goaccess | default(true) and _goaccess_hash_stat.stat.exists

- name: Set goaccess hash fact from cache
  ansible.builtin.set_fact:
    caddy_goaccess_hash_stdout: "{{ _goaccess_hash_file.content | b64decode | trim }}"
  when: enable_goaccess | default(true) and _goaccess_hash_stat.stat.exists

- name: Generate goaccess password hash
  ansible.builtin.command:
    argv:
      - docker
      - run
      - --rm
      - "caddy:{{ caddy_version }}"
      - caddy
      - hash-password
      - --plaintext
      - "{{ goaccess_password }}"
  register: _goaccess_hash_result
  changed_when: false
  no_log: true
  when: enable_goaccess | default(true) and not _goaccess_hash_stat.stat.exists

- name: Cache goaccess hash
  ansible.builtin.copy:
    content: "{{ _goaccess_hash_result.stdout }}"
    dest: /srv/caddy/.goaccess_hash
    mode: "0600"
  when: enable_goaccess | default(true) and not _goaccess_hash_stat.stat.exists

- name: Set goaccess hash fact from generation
  ansible.builtin.set_fact:
    caddy_goaccess_hash_stdout: "{{ _goaccess_hash_result.stdout }}"
  when: enable_goaccess | default(true) and not _goaccess_hash_stat.stat.exists

- name: Deploy Caddy compose.yml
  template:
    src: compose.yml.j2
    dest: /srv/caddy/compose.yml
    owner: root
    group: docker
    mode: "0644"
  notify: Restart Caddy
  tags: config