authser/ansible/deploy.yml

---
# =============================================================
# ecosplay-auth deploy playbook (local execution on the server)
#
# Assumes:
#   - This repo is cloned at {{ deploy_dir }} (default /var/www/e-auth)
#     and the playbook is invoked from inside ansible/.
#   - Caddy is already installed on the server with the
#     caddy-dns/cloudflare plugin and loads per-site files from
#     /etc/caddy/site/*.conf.
#   - The user running `ansible-playbook` has passwordless sudo.
#
# Usage:
#   cd /var/www/e-auth/ansible
#   ansible-playbook deploy.yml
# =============================================================

- name: Deploy ecosplay-auth (Keycloak + Caddy vhost)
  hosts: localhost
  connection: local
  become: true
  gather_facts: true

  vars:
    # Root of the repo (the parent of the ansible/ directory).
    deploy_dir: "{{ playbook_dir | dirname }}"

  tasks:

    # ---------------------------------------------------------
    # System prerequisites
    # ---------------------------------------------------------
    - name: Install base packages
      ansible.builtin.apt:
        name:
          - ca-certificates
          - curl
          - gnupg
          - python3-apt
          - rsync
        update_cache: yes
        state: present

    # ---------------------------------------------------------
    # Docker Engine + compose plugin (idempotent)
    # ---------------------------------------------------------
    - name: Ensure /etc/apt/keyrings exists
      ansible.builtin.file:
        path: /etc/apt/keyrings
        state: directory
        mode: "0755"

    - name: Add Docker GPG key
      ansible.builtin.get_url:
        url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
        dest: /etc/apt/keyrings/docker.asc
        mode: "0644"

    - name: Add Docker apt repository
      ansible.builtin.apt_repository:
        repo: >-
          deb [arch={{ ansible_architecture |
                       replace('x86_64', 'amd64') |
                       replace('aarch64', 'arm64') }}
          signed-by=/etc/apt/keyrings/docker.asc]
          https://download.docker.com/linux/{{ ansible_distribution | lower }}
          {{ ansible_distribution_release }} stable
        state: present
        filename: docker
        update_cache: yes

    - name: Install Docker Engine + compose plugin
      ansible.builtin.apt:
        name:
          - docker-ce
          - docker-ce-cli
          - containerd.io
          - docker-buildx-plugin
          - docker-compose-plugin
        state: present

    - name: Ensure Docker service is running
      ansible.builtin.systemd:
        name: docker
        state: started
        enabled: yes

    # ---------------------------------------------------------
    # Repo files (already present at {{ deploy_dir }})
    # ---------------------------------------------------------
    - name: Ensure deploy directory exists
      ansible.builtin.file:
        path: "{{ deploy_dir }}"
        state: directory
        mode: "0755"

    - name: Ensure init/sync.sh is executable
      ansible.builtin.file:
        path: "{{ deploy_dir }}/init/sync.sh"
        mode: "0755"

    # ---------------------------------------------------------
    # Caddy vhost for auth.e-cosplay.fr
    # ---------------------------------------------------------
    - name: Ensure /etc/caddy/site directory exists
      ansible.builtin.file:
        path: /etc/caddy/site
        state: directory
        mode: "0755"
        owner: root
        group: root

    - name: Ensure /var/log/caddy directory exists
      ansible.builtin.file:
        path: /var/log/caddy
        state: directory
        mode: "0755"
        owner: caddy
        group: caddy
      ignore_errors: true

    - name: Deploy Caddy vhost for {{ auth_domain }}
      ansible.builtin.template:
        src: e-auth.conf.j2
        dest: "{{ caddy_site_file }}"
        mode: "0644"
        owner: root
        group: root
      notify: Reload caddy

    - name: Validate Caddy configuration
      ansible.builtin.command: caddy validate --config /etc/caddy/Caddyfile
      register: caddy_validate
      changed_when: false
      failed_when: caddy_validate.rc != 0

    # ---------------------------------------------------------
    # Bring up the docker-compose stack
    # ---------------------------------------------------------
    - name: Pull docker images
      ansible.builtin.command: docker compose pull
      args:
        chdir: "{{ deploy_dir }}"
      changed_when: false

    - name: Start docker-compose stack
      ansible.builtin.command: docker compose up -d --remove-orphans
      args:
        chdir: "{{ deploy_dir }}"
      register: compose_up
      changed_when: >-
        'Started' in (compose_up.stderr | default(''))
        or 'Created' in (compose_up.stderr | default(''))
        or 'Recreated' in (compose_up.stderr | default(''))

    - name: Show compose output
      ansible.builtin.debug:
        var: compose_up.stderr_lines
      when: compose_up.stderr_lines is defined

  handlers:
    - name: Reload caddy
      ansible.builtin.systemd:
        name: caddy
        state: reloaded