---
- name: Ensure netcat-openbsd is installed for ssh shell
  ansible.builtin.apt:
    name: netcat-openbsd

- name: Create git system user on host for forgejo ssh
  ansible.builtin.user:
    name: git
    group: git
    system: true
    home: /srv/forgejo/git
    generate_ssh_key: true
    ssh_key_type: ed25519
    shell: /srv/forgejo/git/ssh-shell
  register: _forgejo_git_user

- name: Add git user's own ssh key to its authorized keys
  ansible.posix.authorized_key:
    user: git
    key: "{{ _forgejo_git_user.ssh_public_key }}"

- name: Install ssh forwarding shell for forgejo
  ansible.builtin.template:
    src: ssh-shell.j2
    dest: /srv/forgejo/git/ssh-shell
    mode: "0755"

- name: Forgejo service
  ansible.builtin.import_role:
    name: service
  vars:
    service_name: forgejo
    service_container_image: codeberg.org/forgejo/forgejo:{{ forgejo_tag }}
    service_container_mounts:
      - type: volume
        source: data
        destination: /data
      - type: bind
        source: /etc/localtime
        destination: /etc/localtime
        readonly: true
      - type: bind
        source: /srv/forgejo/git/.ssh
        destination: /data/git/.ssh
    service_container_secrets:
      - name: secret-key
        value: "{{ forgejo_secret_key }}"
    service_domains:
      - "{{ forgejo_domain }}"
    service_database_type: postgres
    service_postgres_tag: 18-alpine
    service_container_publish_ports:
      - name: ssh
        type: socket
        container_port: 22
    service_container_env:
      USER_UID: "{{ _forgejo_git_user.uid }}"
      USER_GID: "{{ _forgejo_git_user.group }}"
      FORGEJO__security__SECRET_KEY_URI: file:/run/secrets/secret-key
      FORGEJO__database__DB_TYPE: postgres
      FORGEJO__database__USER: forgejo
      FORGEJO__database__NAME: forgejo
      FORGEJO__database__HOST: postgres
      FORGEJO__database__PASSWD__FILE: /run/secrets/postgres
      FORGEJO__server__PROTOCOL: http+unix
      FORGEJO__server__HTTP_ADDR: /run/forgejo.sock
      FORGEJO__server__DOMAIN: "{{ forgejo_domain }}"
      FORGEJO__server__ROOT_URL: https://{{ forgejo_domain }}
      FORGEJO__server__SSH_ALLOW_UNEXPECTED_AUTHORIZED_KEYS: "true"
      FORGEJO__mailer__ENABLED: "true"
      FORGEJO__mailer__PROTOCOL: smtp
      FORGEJO__mailer__SMTP_ADDR: "{{ forgejo_smtp_server }}"
      FORGEJO__mailer__SMTP_PORT: "587"
      FORGEJO__mailer__FROM: "{{ forgejo_smtp_from }}"
      FORGEJO__mailer__USER: "{{ forgejo_smtp_user }}"
      FORGEJO__mailer__PASSWD: "{{ forgejo_smtp_password }}"
      FORGEJO__service__DISABLE_REGISTRATION: "true"
      FORGEJO__service__REQUIRE_SIGNIN_VIEW: "{{ 'true' if forgejo_require_signin_view else 'false' }}"
      FORGEJO__service__ENABLE_INTERNAL_SIGNIN: "{{ 'true' if forgejo_enable_internal_signin else 'false' }}"
      FORGEJO__oauth2_client__ENABLE_AUTO_REGISTRATION: "true"
      FORGEJO__openid__ENABLE_OPENID_SIGNIN: "false"