---
# Playbook: caddy-auth-authentik
# Purpose: Add auth.levkin.ca reverse proxy to Caddy (Phase 1 Authentik)
# Targets: caddy
# Usage: make -f Makefile caddy-auth  OR ansible-playbook playbooks/caddy-auth-authentik.yml

- name: Add Authentik proxy block to Caddy
  hosts: caddy
  become: true
  become_method: ansible.builtin.su

  tasks:
    - name: Ensure auth.levkin.ca HTTPS block exists (after cal block)
      ansible.builtin.shell: |
        set -euo pipefail
        if grep -q '^auth\.levkin\.ca {' /etc/caddy/Caddyfile; then
          exit 0
        fi
        awk '
        /^cal\.levkin\.ca \{/ { in_cal=1 }
        in_cal && /^}$/ && !done {
          print
          print ""
          print "auth.levkin.ca {"
          print "    import security-headers"
          print "    encode gzip"
          print "    reverse_proxy 10.0.10.21:9000"
          print "}"
          done=1
          next
        }
        { print }
        ' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
        mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
      args:
        executable: /bin/bash
      changed_when: true
      notify: Reload caddy

    - name: Ensure auth.levkin.ca HTTP redirect in :80 block
      ansible.builtin.blockinfile:
        path: /etc/caddy/Caddyfile
        marker: "# {mark} ANSIBLE MANAGED auth.levkin.ca :80"
        insertafter: '@vault host vault.levkin.ca'
        block: |
          @auth host auth.levkin.ca
          redir @auth https://auth.levkin.ca{uri} permanent
      notify: Reload caddy

  handlers:
    - name: Reload caddy
      ansible.builtin.command: caddy reload --config /etc/caddy/Caddyfile
      changed_when: true