---
- name: Setup Watchtower
  hosts: localhost
  connection: local
  # become: true  <-- Removed: Rootless Docker prefers running as the user 'chester'

  vars:
    stack_dir: "/mnt/appdata/watchtower"
    chester_user: "chester"
    heimdall_redis: "10.0.0.151:6379"
    pi_ip: "10.0.0.200"

  tasks:
    - name: Create monitoring directories
      become: true
      block:
        - name: Ensure monitoring directories exist
          ansible.builtin.file:
            path: "{{ item }}"
            state: directory
            owner: "{{ chester_user }}"
            group: "{{ chester_user }}"
            mode: '0755'
          loop:
            - "{{ stack_dir }}"
            - "{{ stack_dir }}/portainer-data"
            - "{{ stack_dir }}/vscode-data"

    - name: Render compose specification
      ansible.builtin.copy:
        dest: "{{ stack_dir }}/docker-compose.yml"
        owner: "{{ chester_user }}"
        group: "{{ chester_user }}"
        mode: '0644'
        content: |
          services:
            traefik-kop:
              image: ghcr.io/jittering/traefik-kop:latest
              container_name: traefik-kop-agent
              restart: unless-stopped
              volumes:
                - /var/run/docker.sock:/var/run/docker.sock:ro
              environment:
                - REDIS_ADDR={{ heimdall_redis }}
                - BIND_IP={{ pi_ip }}

            portainer:
              image: portainer/portainer-ce:latest
              container_name: portainer
              restart: unless-stopped
              ports:
                - "9443:9443"
              volumes:
                - /var/run/docker.sock:/var/run/docker.sock:ro
                - {{ stack_dir }}/portainer-data:/data
              labels:
                - "traefik.enable=true"
                - "traefik.http.routers.portainer.rule=Host(`portainer.castaldifamily.com`)"
                - "traefik.http.routers.portainer.entrypoints=websecure"
                - "traefik.http.routers.portainer.tls.certresolver=cloudflare"
                - "traefik.http.services.portainer.loadbalancer.server.port=9443"
                - "traefik.http.services.portainer.loadbalancer.server.scheme=https"
            code-server:
              image: lscr.io/linuxserver/code-server:latest
              container_name: code-server
              environment:
                - PUID=1000
                - PGID=1000
                - TZ=Etc/UTC
                - PASSWORD=password #optional
                - HASHED_PASSWORD= #optional
                - SUDO_PASSWORD=password #optional
                - SUDO_PASSWORD_HASH= #optional
                - PROXY_DOMAIN=code-server.my.domain #optional
                - DEFAULT_WORKSPACE=/config/workspace #optional
                - PWA_APPNAME=code-server #optional
              volumes:
                - {{ stack_dir }}/vscode-data:/config
              ports:
                - 8443:8443
              restart: unless-stopped

    # - name: Render watchtower environment file
    #   ansible.builtin.copy:
    #     dest: "{{ stack_dir }}/.env"
    #     owner: "{{ chester_user }}"
    #     group: "{{ chester_user }}"
    #     mode: '0600'
    #     content: |
    #       AUTHENTIK_OUTPOST_DOZZLE_TOKEN={{ authentik_outpost_dozzle_token }}

    - name: Launch stack
      community.docker.docker_compose_v2:
        project_src: "{{ stack_dir }}"
        state: present
        pull: always
        docker_host: "unix:///var/run/docker.sock"