---
# Adapted from https://forgejo.org/docs/latest/admin/installation-binary/
- name: Install Forgejo
  hosts: webserver
  become: yes
  become_user: root
  tasks:
    - name: Download Forgejo binary to /usr/local/bin (and verify its checksum)
      get_url:
        url: https://codeberg.org/forgejo/forgejo/releases/download/v1.21.3-0/forgejo-1.21.3-0-linux-amd64
        dest: /usr/local/bin/forgejo
        checksum: "sha256:8c8f34e889f968b4f9357701ceee7daab5b47ea605793325da8e3e740457b45a"
        mode: "755"

    - name: Update apt cache
      apt:
        update_cache: true

    - name: Install git and git-lfs
      apt:
        name:
          - git
          - git-lfs

    - name: Create git user
      user:
        name: git
        password: "!" # disables password login
        home: /home/git
        shell: /bin/bash
        comment: Git Version Control

    - name: Create Forgejo's data directory
      file:
        path: /var/lib/forgejo
        state: directory
        mode: "750"
        owner: git
        group: git

    - name: Create Forgejo's config directory
      file:
        path: /etc/forgejo
        state: directory
        mode: "750"
        owner: root
        group: git

    # NOTE: Instead of copying a pre-built app.ini, you could also skip this,
    # use SSH tunneling to access the server over port 3000, and use their
    # built-in setup process. You'd need to temporarily change /etc/forgejo to
    # have mode "770", to allow Forgejo to write its own config file. (This is
    # what we did for our first-time setup, then we copied app.ini to here!)
    - name: Copy app.ini to Forgejo's config directory
      copy:
        src: files/app.ini
        dest: /etc/forgejo/app.ini
        mode: "640"
      notify:
        - Restart Forgejo

    # NOTE: Instead of having a separate secrets directory, you could hardcode
    # the secrets into app.ini. This extra indirection just lets us share our
    # app.ini publicly, while keeping the secret tokens in gitignored files.
    # Also, the directory name "secrets" and the file names we chose aren't
    # reserved by Forgejo! Forgejo simply ignores any unrecognized files in
    # /etc/forgejo, then we reference our secret files by path in app.ini.
    - name: Copy secrets directory to Forgejo's config directory
      copy:
        src: files/secrets
        dest: /etc/forgejo
        directory_mode: "750"
        mode: "640"
        owner: root
        group: git
      notify:
        - Restart Forgejo

    - name: Install systemd service for Forgejo
      copy:
        src: files/forgejo.service
        dest: /etc/systemd/system/forgejo.service
      notify:
        - Reload service files
        - Restart Forgejo

    - name: Enable Forgejo service
      systemd_service:
        name: forgejo
        enabled: true
        state: started

  handlers:
    - name: Reload service files
      systemd_service:
        daemon_reload: true

    - name: Restart Forgejo
      systemd_service:
        name: forgejo
        state: restarted