---
- name: Create a user for running the pi-hole podman container
  ansible.builtin.include_role:
    name: user
  vars:
    user_username: "{{ pi_hole_username }}"
    user_password: "{{ pi_hole_password }}"
- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
  become: true
  become_user: "{{ pi_hole_username }}"
  ansible.builtin.file:
    path: "/home/{{ pi_hole_username }}/etc-pihole"
    state: directory
    mode: '0700'
  register: command_result
  failed_when:
    - command_result.changed == false
    - command_result.rc != 0
    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
    # change anything at this point so we'll ignore the error for now.
    - "'set_mode_if_different' not in command_result.module_stdout"
- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
  become: true
  become_user: "{{ pi_hole_username }}"
  ansible.builtin.file:
    path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
    state: directory
    mode: '0700'
  failed_when:
    - command_result.changed == false
    - command_result.rc != 0
    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
    # change anything at this point so we'll ignore the error for now.
    - "'set_mode_if_different' not in command_result.module_stdout"
- name: Start the Pi-hole container
  become: true
  become_user: "{{ pi_hole_username }}"
  containers.podman.podman_container:
    name: pi-hole
    image: docker.io/pihole/pihole:2024.03.2
    # TODO: Enable containers on boot
    # I expected podman containers to restart on boot with this policy but apparently the documentation specifically
    # states that they won't do this. There seems to be an involved workaround to get this to work whilst keeping the
    # containers "rootless". See this guide: https://linuxhandbook.com/autostart-podman-containers/
    restart_policy: on-failure
    publish:
    # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
    # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
      - 127.0.0.1:5053:53/tcp
      - 127.0.0.1:5053:53/udp
      - 127.0.0.1:8080:80
    hostname: "{{ ansible_facts['hostname'] }}" # Setting this will restart the container
    env:
      TZ: 'Europe/Amsterdam'
      WEBPASSWORD: "{{ pi_hole_web_password }}"
      # VIRTUAL_HOST: 'pi-hole.kleinendorst.info'
      # FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
      PIHOLE_DNS_: 1.1.1.1;1.0.0.1
      DNSMASQ_USER: root
      INTERFACE: tap0
    volumes:
      - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
      - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
    state: started
- name: Install certificate for pi-hole.kleinendorst.info
  become: true
  ansible.builtin.command:
    cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
    creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
- name: Set Nginx configuration
  become: true
  ansible.builtin.template:
    src: pi-hole.conf.j2
    dest: /etc/nginx/conf.d/pi-hole.conf
    mode: '0644'
  notify: Restart Nginx
- name: Debug
  ansible.builtin.debug:
    msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
- name: Setup udp port forwarding (53 > 5053) in nginx
  become: true
  ansible.builtin.blockinfile:
    path: /etc/nginx/nginx.conf
    insertbefore: '^http \{$'
    block: |
      stream {
        server {
          listen 53;
          proxy_pass 127.0.0.1:5053;
        }

        server {
            listen 53 udp;
            proxy_pass 127.0.0.1:5053;
        }
      }
  notify: Restart Nginx
# - name: Add forwarding rules for ufw
#   become: true
#   ansible.builtin.blockinfile:
#     path: /etc/ufw/before.rules
#     insertbefore: "^\\*filter$"
#     block: |
#       *nat
#       :PREROUTING ACCEPT [0:0]
#       -A PREROUTING -p tcp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
#       -A PREROUTING -p udp -i eth0 --dport 53 -j DNAT \ --to-destination 127.0.0.1:5053
#       COMMIT
#   notify: Restart ufw
# - name: Allow all access to port 53 (udp)
#   become: true
#   community.general.ufw:
#     rule: allow
#     port: '53'
#     proto: udp
#   notify: Restart ufw
# - name: Allow all access to port 53 (tcp)
#   become: true
#   community.general.ufw:
#     rule: allow
#     port: '53'
#     proto: tcp
#   notify: Restart ufw