# haproxy role — install HAProxy 2.8, render the config, ensure the
# systemd unit is running. Idempotent.
#
# Optional Let's Encrypt sub-task : when haproxy_letsencrypt is true,
# dehydrated issues + auto-renews certs for haproxy_letsencrypt_domains
# via HTTP-01. Wildcards are NOT supported (need DNS-01) — list
# subdomains explicitly. Internal services on talas.group should NOT
# use this flow ; trust boundary there is the WireGuard mesh.
---
- name: Install HAProxy + curl (smoke test relies on it)
  ansible.builtin.apt:
    name:
      - haproxy
      - curl
    state: present
    update_cache: true
    cache_valid_time: 3600
  tags: [haproxy, packages]

- name: Ensure /etc/haproxy/certs exists (TLS terminations land here)
  ansible.builtin.file:
    path: /etc/haproxy/certs
    state: directory
    owner: root
    group: haproxy
    mode: "0750"
  tags: [haproxy, config]

- name: Render haproxy.cfg
  ansible.builtin.template:
    src: haproxy.cfg.j2
    dest: /etc/haproxy/haproxy.cfg
    owner: root
    group: haproxy
    mode: "0640"
    validate: "haproxy -f %s -c -q"
  register: haproxy_config
  notify: Reload haproxy
  tags: [haproxy, config]

- name: Set haproxy_config_changed fact (consumed by letsencrypt.yml)
  ansible.builtin.set_fact:
    haproxy_config_changed: "{{ haproxy_config.changed }}"
  tags: [haproxy, config]

- name: Enable + start haproxy
  ansible.builtin.systemd:
    name: haproxy
    state: started
    enabled: true
  tags: [haproxy, service]

- name: Issue + auto-renew Let's Encrypt certs (HTTP-01 via dehydrated)
  ansible.builtin.import_tasks: letsencrypt.yml
  when: haproxy_letsencrypt | default(false)
  tags: [haproxy, letsencrypt]