#SPDX-License-Identifier: MIT-0
---
# tasks file for coturn

- name: Assert minimum configuration
  ansible.builtin.assert:
    that:
      - coturn_realm | length > 0
      - coturn_external_ip | length > 0
      - coturn_static_auth_secret | length > 0
    fail_msg: >
      coturn_realm, coturn_external_ip and coturn_static_auth_secret must be set.
      Provide them in host_vars or via a secrets file.

- name: Create coturn compose directory
  ansible.builtin.file:
    path: "{{ coturn_docker_compose_dir }}"
    state: directory
    mode: "0755"

- name: Create coturn data directory
  ansible.builtin.file:
    path: "{{ coturn_docker_volume_dir }}"
    state: directory
    mode: "0755"

- name: Create certificate directory
  ansible.builtin.file:
    path: "{{ coturn_cert_dir }}"
    state: directory
    mode: "0755"

# --- TLS certificate provisioning -------------------------------------------------

- name: Configure acme.sh sidecar (TSIG key + acme data dir)
  when: coturn_cert_mode == 'acme'
  block:
    - name: Create acme.sh data directory
      ansible.builtin.file:
        path: "{{ coturn_acme_data_dir }}"
        state: directory
        mode: "0700"

    - name: Deploy nsupdate TSIG key
      ansible.builtin.copy:
        src: "{{ coturn_acme_nsupdate_key_src }}"
        dest: "{{ coturn_docker_compose_dir }}/nsupdate.key"
        mode: "0600"
      no_log: true
      notify: Restart coturn container

    - name: Build effective challenge alias list (default if not provided)
      ansible.builtin.set_fact:
        _coturn_challenge_aliases: >-
          {{ coturn_acme_challenge_aliases
             if coturn_acme_challenge_aliases | length > 0
             else (
               [{'name': coturn_realm,
                 'alias': (coturn_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }]
               + ([{'name': coturn_internal_realm,
                    'alias': (coturn_internal_realm.split('.')[:-2] | join('.')) ~ '.' ~ coturn_acme_nsupdate_zone }]
                  if coturn_internal_realm | length > 0 else [])
             )
          }}

- name: Generate selfsigned certificate (vagrant / dev only)
  when: coturn_cert_mode == 'selfsigned'
  block:
    - name: Ensure openssl is available
      ansible.builtin.package:
        name: openssl
        state: present

    - name: Generate selfsigned private key
      community.crypto.openssl_privatekey:
        path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
        type: ECC
        curve: secp256r1
        mode: "0600"

    - name: Generate selfsigned CSR
      community.crypto.openssl_csr:
        path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr"
        privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
        common_name: "{{ coturn_realm }}"
        subject_alt_name:
          - "DNS:{{ coturn_realm }}"
        mode: "0644"

    - name: Issue selfsigned certificate
      community.crypto.x509_certificate:
        path: "{{ coturn_cert_dir }}/{{ coturn_cert_file }}"
        privatekey_path: "{{ coturn_cert_dir }}/{{ coturn_key_file }}"
        csr_path: "{{ coturn_cert_dir }}/{{ coturn_realm }}.csr"
        provider: selfsigned
        mode: "0644"

# --- Compose + start --------------------------------------------------------------

- name: Generate docker-compose.yml for coturn
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ coturn_docker_compose_dir }}/docker-compose.yml"
    mode: "0644"
  notify: Restart coturn container

- name: Start coturn stack
  community.docker.docker_compose_v2:
    project_src: "{{ coturn_docker_compose_dir }}"
    state: present