---
# Playbook: caddy-levkin-site
# Purpose: Add levkin.ca reverse proxy to Caddy (site LXC 220)
# Targets: caddy
# Usage: make caddy-levkin

- name: Add levkin.ca proxy block to Caddy
  hosts: caddy
  become: true
  become_method: ansible.builtin.su

  tasks:
    - name: Ensure levkin.ca HTTPS block exists (after caseware block)
      ansible.builtin.shell: |
        set -euo pipefail
        if grep -q '^levkin\.ca,' /etc/caddy/Caddyfile || grep -q '^levkin\.ca {' /etc/caddy/Caddyfile; then
          exit 0
        fi
        awk -v upstream="{{ levkin_site_upstream | default('10.0.10.60:80') }}" '
        /^caseware\.levkin\.ca \{/ { in_cw=1 }
        in_cw && /^}$/ && !done {
          print
          print ""
          print "levkin.ca, www.levkin.ca {"
          print "    import security-headers"
          print "    @www host www.levkin.ca"
          print "    redir @www https://levkin.ca{uri} permanent"
          print "    reverse_proxy " upstream
          print "}"
          done=1
          next
        }
        { print }
        ' /etc/caddy/Caddyfile > /tmp/Caddyfile.new
        mv /tmp/Caddyfile.new /etc/caddy/Caddyfile
      args:
        executable: /bin/bash
      register: levkin_https_block
      changed_when: levkin_https_block.rc == 0
      notify: Reload caddy

    - name: Ensure levkin.ca HTTP redirect in :80 block
      ansible.builtin.blockinfile:
        path: /etc/caddy/Caddyfile
        marker: "# {mark} ANSIBLE MANAGED levkin.ca :80"
        insertafter: '@vikunja host todo.levkin.ca'
        block: |
          @levkin host levkin.ca www.levkin.ca
          redir @levkin https://levkin.ca{uri} permanent
      notify: Reload caddy

  handlers:
    - name: Reload caddy
      ansible.builtin.command: caddy reload --config /etc/caddy/Caddyfile
      changed_when: true