---
- name: create gitea-runner user
  become: true
  ansible.builtin.user:
    name: "{{ gitea_runner_user }}"
    comment: Gitea Actions runner
    shell: /bin/bash
    createhome: true
    home: "{{ gitea_runner_home }}"
  tags: gitea-actions

- name: check if gitea-runner lingering enabled
  become: true
  ansible.builtin.stat:
    path: "/var/lib/systemd/linger/{{ gitea_runner_user }}"
  register: gitea_runner_lingering
  tags: gitea-actions

- name: enable gitea-runner lingering
  become: true
  ansible.builtin.command: loginctl enable-linger {{ gitea_runner_user }}
  when: not gitea_runner_lingering.stat.exists
  tags: gitea-actions

- name: create .config/systemd/user directory
  become: true
  become_user: "{{ gitea_runner_user }}"
  ansible.builtin.file:
    path: "{{ gitea_runner_home }}/.config/systemd/user"
    state: directory
    mode: "0755"
  tags: gitea-actions

- name: create .ssh directory
  become: true
  ansible.builtin.file:
    path: "{{ gitea_runner_home }}/.ssh"
    state: directory
    owner: "{{ gitea_runner_user }}"
    group: "{{ gitea_runner_user }}"
    mode: "0700"
  tags: gitea-actions

- name: generate SSH key for gitea-runner
  become: true
  become_user: "{{ gitea_runner_user }}"
  ansible.builtin.command:
    cmd: ssh-keygen -t ed25519 -f {{ gitea_runner_home }}/.ssh/id_ed25519 -N "" -C "gitea-runner@galactica"
    creates: "{{ gitea_runner_home }}/.ssh/id_ed25519"
  tags: gitea-actions

- name: add Gitea SSH host keys to known_hosts
  become: true
  become_user: "{{ gitea_runner_user }}"
  ansible.builtin.shell:
    cmd: ssh-keyscan -p 2222 {{ item }} >> {{ gitea_runner_home }}/.ssh/known_hosts 2>/dev/null
  args:
    creates: "{{ gitea_runner_home }}/.ssh/known_hosts"
  loop:
    - git.skudak.com
    - git.debyl.io
  tags: gitea-actions

- name: set known_hosts permissions
  become: true
  ansible.builtin.file:
    path: "{{ gitea_runner_home }}/.ssh/known_hosts"
    owner: "{{ gitea_runner_user }}"
    group: "{{ gitea_runner_user }}"
    mode: "0644"
  tags: gitea-actions

# CI jobs run in ephemeral rootless-podman containers that don't inherit the
# gitea-runner user's ~/.ssh. Stage a dedicated, SELinux-labelled copy of the
# runner's key + known_hosts and bind-mount it read-only into every job
# container at /root/.ssh (see config.yaml.j2) so submodule clones over
# ssh://git@git.skudak.com:2222 work. Kept separate from ~/.ssh so the real
# directory's label is never touched.
- name: create ci-ssh dir for job-container mount
  become: true
  ansible.builtin.file:
    path: "{{ gitea_runner_home }}/ci-ssh"
    state: directory
    owner: "{{ gitea_runner_user }}"
    group: "{{ gitea_runner_user }}"
    mode: "0700"
  tags: gitea-actions

- name: stage runner ssh material into ci-ssh
  become: true
  ansible.builtin.copy:
    src: "{{ gitea_runner_home }}/.ssh/{{ item.name }}"
    dest: "{{ gitea_runner_home }}/ci-ssh/{{ item.name }}"
    remote_src: true
    owner: "{{ gitea_runner_user }}"
    group: "{{ gitea_runner_user }}"
    mode: "{{ item.mode }}"
  loop:
    - { name: id_ed25519, mode: "0600" }
    - { name: known_hosts, mode: "0644" }
  notify: restart act_runner services
  tags: gitea-actions

- name: label ci-ssh as container_file_t so job containers can read it
  become: true
  community.general.sefcontext:
    target: "{{ gitea_runner_home }}/ci-ssh(/.*)?"
    setype: container_file_t
    state: present
  register: ci_ssh_sefcontext
  tags: gitea-actions

- name: apply selinux label to ci-ssh
  become: true
  ansible.builtin.command: restorecon -RF {{ gitea_runner_home }}/ci-ssh
  when: ci_ssh_sefcontext is changed
  changed_when: true
  tags: gitea-actions