---
- name: Install Podman
  become: true
  ansible.builtin.apt:
    name: podman
    state: present
- name: Create a user for running the pi-hole podman container
  ansible.builtin.include_role:
    name: user
  vars:
    user_username: "{{ pi_hole_username }}"
    user_password: "{{ pi_hole_password }}"
- name: Create the /etc-pihole directory in the home directory (will be mounted to the container)
  become: true
  become_user: "{{ pi_hole_username }}"
  ansible.builtin.file:
    path: "/home/{{ pi_hole_username }}/etc-pihole"
    state: directory
    mode: '0700'
  register: command_result
  failed_when:
    - command_result.rc != 0
    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
    # change anything at this point so we'll ignore the error for now.
    - "'set_mode_if_different' not in command_result.module_stdout"
- name: Create the /etc-dnsmasq.d directory in the home directory (will be mounted to the container)
  become: true
  become_user: "{{ pi_hole_username }}"
  ansible.builtin.file:
    path: "/home/{{ pi_hole_username }}/etc-dnsmasq.d"
    state: directory
    mode: '0700'
  failed_when:
    - command_result.rc != 0
    # This is quite an interesting problem. The command fails because, after initial creation, the pod using the volume
    # changes the user of the folder to a UID only known within the container. This command basically doesn't need to
    # change anything at this point so we'll ignore the error for now.
    - "'set_mode_if_different' not in command_result.module_stdout"
- name: Start the Pi-hole container
  become: true
  become_user: "{{ pi_hole_username }}"
  containers.podman.podman_container:
    name: pi-hole
    image: docker.io/pihole/pihole:2024.03.2
    restart_policy: on-failure
    publish:
    # It seems we can't use authbind in combination with Podman, see: https://github.com/containers/podman/issues/13426.
    # Instead we'll map to a higher port number and install and use the ufw firewall to forward packets to the local port.
      - 127.0.0.1:5053:53/tcp
      - 127.0.0.1:5053:53/udp
      - 127.0.0.1:8080:80
    env:
      TZ: 'Europe/Amsterdam'
      WEBPASSWORD: "{{ pi_hole_web_password }}"
      FTLCONF_LOCAL_IPV4: "{{ ansible_facts['default_ipv4']['address'] }}"
      PIHOLE_DNS_: 1.1.1.1;1.0.0.1
      DNSMASQ_USER: "{{ pi_hole_username }}"
    volumes:
      - "/home/{{ pi_hole_username }}/etc-pihole:/etc/pihole"
      - "/home/{{ pi_hole_username }}/etc-dnsmasq.d:/etc/dnsmasq.d"
    state: started
- name: Install certificate for pi-hole.kleinendorst.info
  become: true
  ansible.builtin.command:
    cmd: register_certbot_domain.sh pi-hole.kleinendorst.info
    creates: /etc/letsencrypt/live/pi-hole.kleinendorst.info # The certificate directory
- name: Set Nginx configuration
  become: true
  ansible.builtin.template:
    src: pi-hole.conf.j2
    dest: /etc/nginx/conf.d/pi-hole.conf
    mode: '0644'
  notify: Restart Nginx
- name: Debug
  ansible.builtin.debug:
    msg: "Don't forget to manually add a DNS record for pi-hole.kleinendorst.info pointing to: {{ ansible_facts['default_ipv4']['address'] }}."
# TODO: Install and configure ufw to forward the DNS port (53) to the 5053 podman container port.