- name: Install expect
  ansible.builtin.apt:
    name: expect
    state: present

- name: Create Bitwarden directory
  ansible.builtin.file:
    path: "{{ bitwarden_root }}"
    state: directory
    mode: "755"

- name: Download Bitwarden script
  ansible.builtin.get_url:
    url: "https://raw.githubusercontent.com/\
          bitwarden/self-host/master/bitwarden.sh"
    dest: "{{ bitwarden_root }}"
    mode: u+x

- name: Install Bitwarden script wrapper
  ansible.builtin.template:
    src: bw_wrapper.j2
    dest: "{{ bitwarden_root }}/bw_wrapper"
    mode: u+x

- name: Run Bitwarden installation script
  ansible.builtin.command: "{{ bitwarden_root }}/bw_wrapper"
  args:
    creates: "{{ bitwarden_root }}/bwdata/config.yml"

- name: Install compose override
  ansible.builtin.template:
    src: compose.override.yml.j2
    dest: "{{ bitwarden_root }}/bwdata/docker/docker-compose.override.yml"
    mode: "644"
  when: bitwarden_override | default(true)
  notify: rebuild_bitwarden

- name: Disable bitwarden-nginx HTTP on 80
  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^http_port: 80$"
    replace: "http_port: {{ bitwarden_http_port | default('127.0.0.1:9080') }}"
  when: not bitwarden_standalone
  notify: rebuild_bitwarden

- name: Disable bitwarden-nginx HTTPS on 443
  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^https_port: 443$"
    replace: "https_port: {{ bitwarden_https_port | default('127.0.0.1:9443') }}"
  when: not bitwarden_standalone
  notify: rebuild_bitwarden

- name: Disable Bitwarden managed Lets Encrypt
  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^ssl_managed_lets_encrypt: true$"
    replace: "ssl_managed_lets_encrypt: false"
  when: not bitwarden_standalone or not bitwarden_production
  notify: rebuild_bitwarden

- name: Disable Bitwarden managed SSL
  ansible.builtin.replace:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    regexp: "^ssl: true$"
    replace: "ssl: false"
  when: not bitwarden_standalone
  notify: rebuild_bitwarden

- name: Define reverse proxy servers
  ansible.builtin.lineinfile:
    path: "{{ bitwarden_root }}/bwdata/config.yml"
    line: "- {{ bitwarden_realips }}"
    insertafter: "^real_ips"
  notify: rebuild_bitwarden

- name: Install Bitwarden systemd service
  ansible.builtin.template:
    src: bitwarden.service.j2
    dest: "/etc/systemd/system/{{ bitwarden_name }}.service"
    mode: "644"
  register: bitwarden_systemd
  notify: rebuild_bitwarden

- name: Create Bitwarden's initial logging directory
  ansible.builtin.file:
    path: "{{ bitwarden_logs_identity }}"
    state: directory
    mode: "755"
  notify: touch_bitwarden

- name: Install Bitwarden's Fail2ban jail
  ansible.builtin.template:
    src: fail2ban-jail.conf.j2
    dest: /etc/fail2ban/jail.d/bitwarden.conf
    mode: "640"
  notify: restart_fail2ban