---

- name: Copy server dotfiles
  tags: [dotfiles, dotfiles:server]
  ansible.builtin.copy:
    src: "{{ playbook_dir }}/../dotfiles/server/{{ item.src }}"
    dest: "{{ server_user_home }}/{{ item.dest }}"
    owner: "{{ server_username }}"
    group: "{{ server_user_group }}"
    mode: "{{ item.mode }}"
  loop: "{{ server_dotfiles | default([]) }}"
  loop_control:
    label: "{{ item.dest }}"

- name: Require server container secret variables
  tags: [dotfiles, dotfiles:server, services]
  ansible.builtin.assert:
    that:
      - (vault_navidrome_db_password | default('')) | length > 0
      - (vault_postgres_root_password | default('')) | length > 0
    fail_msg: >-
      Server container secrets are missing. Define vault_navidrome_db_password and
      vault_postgres_root_password in secrets/vault.yml or another vars source.

- name: Ensure server directories exist
  tags: [dotfiles, services]
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    owner: "{{ item.owner }}"
    group: "{{ item.group }}"
    mode: "{{ item.mode }}"
  loop: "{{ server_directories | default([]) }}"
  loop_control:
    label: "{{ item.path }}"

- name: Render server templates
  tags: [dotfiles, dotfiles:server]
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest if item.dest.startswith('/') else server_user_home ~ '/' ~ item.dest }}"
    owner: "{{ item.owner | default(server_username) }}"
    group: "{{ item.group | default(server_user_group) }}"
    mode: "{{ item.mode }}"
  loop: "{{ server_templates | default([]) }}"
  loop_control:
    label: "{{ item.dest }}"
  no_log: "{{ item.no_log | default(false) }}"

- name: Disable SSH root login on server
  tags: [services]
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^\s*PermitRootLogin\s+'
    line: "PermitRootLogin {{ server_sshd_settings.PermitRootLogin }}"
    state: present
    validate: "sshd -t -f %s"
  notify: Reload SSH service

- name: Restrict SSH login to allowed users on server
  tags: [services]
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^\s*AllowUsers\s+'
    line: "AllowUsers {{ server_sshd_allow_users | join(' ') }}"
    state: present
    validate: "sshd -t -f %s"
  notify: Reload SSH service
  when: (server_sshd_allow_users | default([])) | length > 0

- name: Define effective server UFW rules
  tags: [services, packages]
  ansible.builtin.set_fact:
    server_ufw_rules_effective: "{{ server_ufw_rules | default([]) }}"

- name: Apply server UFW rules
  tags: [services, packages]
  community.general.ufw:
    rule: "{{ item.rule }}"
    name: "{{ item.name | default(omit) }}"
    port: "{{ item.port | default(omit) }}"
    proto: "{{ item.proto | default(omit) }}"
    from_ip: "{{ item.src | default(omit) }}"
    to_ip: "{{ item.dest | default(omit) }}"
    from_port: "{{ item.from_port | default(omit) }}"
    direction: "{{ item.direction | default(omit) }}"
    interface: "{{ item.interface | default(omit) }}"
    interface_in: "{{ item.interface_in | default(omit) }}"
    interface_out: "{{ item.interface_out | default(omit) }}"
    route: "{{ item.route | default(omit) }}"
    comment: "{{ item.comment | default(omit) }}"
  loop: "{{ server_ufw_rules_effective }}"
  loop_control:
    label: "{{ item.name | default(item.port) }}"

- name: Enable UFW firewall on server
  tags: [services, packages]
  community.general.ufw:
    state: enabled
  when: (server_ufw_rules_effective | default([])) | length > 0