- name: Install forgejo
  package:
    name:
      - forgejo

- name: Create nginx site
  template:
    dest: /etc/nginx/http.d/forgejo.conf
    src: forgejo.conf.j2
  notify: reload nginx

- name: Configure forgejo
  ini_file:
    path: /etc/forgejo/app.ini
    section: '{{ item.section | default("") }}'
    option: '{{ item.option }}'
    value: '{{ item.value }}'
  loop:
    - { option: APP_NAME, value: 'FRI git' }
    - { section: oauth2_client, option: ENABLE_AUTO_REGISTRATION, value: true }
    - { section: oauth2_client, option: USERNAME, value: email }
    - { section: service, option: ALLOW_ONLY_EXTERNAL_REGISTRATION, value: true }
    - { section: service, option: DEFAULT_USER_VISIBILITY, value: public }
    - { section: service.explore, option: DEFAULT_USERS_PAGE, value: private }
    - { section: database, option: SQLITE_JOURNAL_MODE, value: WAL }
    - { section: log, option: ROOT_PATH, value: /var/lib/forgejo/log }
    - { section: server, option: ROOT_URL, value: 'https://{{ dns_name }}/' }
    - { section: server, option: PROTOCOL, value: http+unix }
    - { section: server, option: HTTP_ADDR, value: socket }
    - { section: server, option: UNIX_SOCKET_PERMISSION, value: 660 }
    - { section: server, option: LANDING_PAGE, value: "explore" }
    - { section: server, option: LFS_START_SERVER, value: true }
    - { section: lfs, option: PATH, value: /var/lib/forgejo/data/lfs }
    - { section: repository, option: DEFAULT_BRANCH, value: master }
    - { section: repository, option: ENABLE_PUSH_CREATE_ORG, value: true }
    - { section: repository, option: ENABLE_PUSH_CREATE_USER, value: true }
    - { section: ui, option: AMBIGUOUS_UNICODE_DETECTION, value: false }
    - { section: other, option: SHOW_FOOTER_VERSION, value: false }
    - { section: other, option: SHOW_FOOTER_TEMPLATE_LOAD_TIME, value: false }
    - { section: cron.update_checker, option: ENABLED, value: false }
    - { section: security, option: INSTALL_LOCK, value: true }
  notify: restart forgejo

- name: Enable forgejo service
  service:
    name: forgejo
    enabled: yes
  notify: restart forgejo

- meta: flush_handlers

- name: Set up authentication
  become: yes
  become_user: forgejo
  block:
    - name: Create admin user
      command: |
        forgejo admin user create --admin
            --username '{{ password.admin_user }}'
            --email '{{ password.admin_mail }}'
            --password '{{ password.admin_pass }}'
      notify: restart forgejo
      register: result
      changed_when: 'result.rc == 0'
      failed_when: 'result.rc != 0 and "user already exists" not in result.stderr'

    - name: Set up SSO
      command: |
        forgejo admin auth add-oauth --provider=openidConnect \
            --name '{{ password.oidc_name }}'
            --auto-discover-url '{{ password.oidc_endpoint }}'
            --key '{{ password.oidc_client_id }}'
            --secret '{{ password.oidc_client_secret }}'
      register: result
      changed_when: 'result.rc == 0'
      failed_when: 'result.rc != 0 and "login source already exists" not in result.stderr'