---
# - hosts: all
#   tasks:
#     - name: Print message
#       debug:
#         msg: Hello Ansible World

- hosts: all
  become: true

  tasks:
    ## Docker
    #
    - name: Add Docker GPG apt Key
      apt_key:
        url: https://download.docker.com/linux/ubuntu/gpg
        state: present

    - name: Add Docker Repository
      apt_repository:
        repo: deb https://download.docker.com/linux/ubuntu jammy stable
        state: present

    - name: debug for repo
      debug:
        msg: "{{ ansible_distribution_release }}"

    - name: Update apt and install docker-ce
      apt:
        name: docker-ce
        state: latest
        update_cache: true

    - name: install pip3
      apt:
        name: python3-pip
        state: latest

    - name: Container present test
      community.docker.docker_container:
        name: ansible_deployed
        state: absent

    - name: Registry cache
      community.docker.docker_container:
        name: registry_cache
        state: started
        restart_policy: unless-stopped
        image: mirror.gcr.io/registry:2
        ports:
          - "5000:5000"
        volumes:
          - /var/lib/registry:/var/lib/registry
        env:
          REGISTRY_PROXY_REMOTEURL: https://registry-1.docker.io
          REGISTRY_PROXY_USERNAME: stelb
          REGISTRY_PROXY_PASSWORD: "{{ DOCKER_IO_PASSWORD }}"

    - name: add docker rules to ufw
      blockinfile:
        path: /etc/ufw/after.rules 
        marker_begin: BEGIN UFW AND DOCKER
        marker_end: END UFW AND DOCKER
        state: present
        block: "{{ lookup('ansible.builtin.file', 'ufw-docker.rules') }}"
      tags:
        - ufw

    - name: allow OpenSSH
      community.general.ufw:
         rule: allow
         app: OpenSSH

    - name: enable ufw
      community.general.ufw:
        state: enabled
        policy: reject
      tags:
        - ufw

    - name: open ports
      community.general.ufw:
        rule: allow
        proto: "{{ item[1] }}"
        port: "{{ item[0] }}"
        route: "{{ item[2] | default(omit) }}"
      loop:
        - [ 80, 'tcp', true ]     # traefik
        - [ 443, 'tcp', true ]    # traefik
        - [ 25, 'tcp', true ]     # smtp ntfy
        - [ 51820, 'udp', true ]  # wireguard
        - [ 53, 'udp', true ]  # technitium, dns
        - [ 53, 'tcp', true ]  # technitium, dns
        # - [ 1935, 'udp', true ] # owncast
        # - [ 1935, 'tcp', true ] # owncast
        - [ 2222, 'tcp', true ] # forgejo
        - [ 22, 'tcp', true ] # forgejo
      tags:
        - ufw


    - name: open all for own hosts
      community.general.ufw:
        rule: allow
        from: "{{ item }}"
      loop: "{{ anyops_trusted_hosts }}"
        #- 37.27.176.103 # muh.anyops.de
          #        - 10.201.201.2 # wireguard
      tags:
        - ufw

    - name: autoupgrade
      ansible.builtin.include_role:
        name: anyops_autoupgrade