---
- name: "Heimdall"
  hosts: heimdall  # Targeted via your inventory
  become: true

  vars:
    stack_dir: "/opt/stacks/heimdall"
    chester_user: "chester"
    # Replace with Heimdall's actual static IP
    heimdall_ip: "10.0.0.145" 
    cf_token: "{{ secrets.CF_HIEMDALL }}"

  tasks:
    - name: "Gate -2: Install Docker & Tools (Ubuntu)"
      apt:
        name: [curl, git, jq, docker.io, docker-compose-v2, python3-pip]
        state: present
        update_cache: true

    - name: "Gate -1: Add chester to docker group"
      user:
        name: "{{ chester_user }}"
        groups: docker
        append: true

    - name: "Gate 0: Infrastructure Setup"
      file:
        path: "{{ item }}"
        state: directory
        owner: "{{ chester_user }}"
        group: "{{ chester_user }}"
        mode: '0755'
      loop:
        - "{{ stack_dir }}"
        - "{{ stack_dir }}/traefik-certs"
        - "{{ stack_dir }}/redis-data"
        - "{{ stack_dir }}/runner-data"

    - name: "Gate 1: Deploy Heimdall Stack"
      copy:
        dest: "{{ stack_dir }}/docker-compose.yml"
        owner: "{{ chester_user }}"
        group: "{{ chester_user }}"
        mode: '0644'
        content: |
          services:
            redis:
              image: redis:7-alpine
              container_name: redis
              restart: unless-stopped
              volumes:
                - ./redis-data:/data
              command: redis-server --appendonly yes
              healthcheck:
                test: ["CMD", "redis-cli", "ping"]

            traefik:
              image: traefik:v3.0
              container_name: traefik
              restart: unless-stopped
              ports:
                - "80:80"
                - "443:443"
                - "8080:8080"
              environment:
                - CF_DNS_API_TOKEN=${CF_TOKEN}
              volumes:
                - /var/run/docker.sock:/var/run/docker.sock:ro
                - ./traefik-certs:/letsencrypt
              command:
                - "--api.dashboard=true"
                - "--providers.docker=true"
                - "--providers.redis=true"
                - "--providers.redis.endpoints=redis:6379"
                - "--entrypoints.web.address=:80"
                - "--entrypoints.websecure.address=:443"
                - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
                - "--certificatesresolvers.myresolver.acme.email=admin@castaldifamily.com"
                - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"

            traefik-kop:
              image: ghcr.io/jittering/traefik-kop:latest
              container_name: traefik-kop-edge
              restart: unless-stopped
              volumes:
                - /var/run/docker.sock:/var/run/docker.sock:ro
              environment:
                - REDIS_ADDR=redis:6379
                - BIND_IP={{ heimdall_ip }} # reports Beelink's IP

            gitea-runner:
              image: gitea/act_runner:latest
              container_name: gitea-runner-heimdall
              restart: always
              volumes:
                - ./runner-data:/data
                - /var/run/docker.sock:/var/run/docker.sock
              environment:
                - GITEA_INSTANCE_URL=https://git.castaldifamily.com
                - GITEA_RUNNER_REGISTRATION_TOKEN={{ secrets.HEIMDALL_GITEA_TOKEN }}

    - name: "Gate 2: Launch Stack"
      community.docker.docker_compose_v2:
        project_src: "{{ stack_dir }}"
        state: present