---
- name: Ensure base directory exists (remote)
  become: true
  ansible.builtin.file:
    path: "{{ umami_base_dir }}"
    state: directory
    owner: root
    group: root
    mode: "0755"

# --- Local secrets handling ---
- name: Ensure local secrets dir exists (controller)
  ansible.builtin.file:
    path: "{{ umami_secrets_dir }}"
    state: directory
    mode: "0700"
  delegate_to: localhost
  run_once: false

- name: Generate DB password if needed (local)
  ansible.builtin.set_fact:
    umami_db_password: >-
      {{ lookup('ansible.builtin.password',
                umami_secrets_dir ~ '/.db_password chars=ascii_letters,digits length=32') }}
  when: (umami_db_password | default('') | length) == 0
  delegate_to: localhost
  run_once: false

- name: Generate app secret if needed (local)
  ansible.builtin.set_fact:
    umami_app_secret: >-
      {{ lookup('ansible.builtin.password',
                umami_secrets_dir ~ '/.app_secret chars=hexdigits length=64') }}
  when: (umami_app_secret | default('') | length) == 0
  delegate_to: localhost
  run_once: false

# --- Remote config + deployment ---
- name: Render .env file
  become: true
  ansible.builtin.template:
    src: env.j2
    dest: "{{ umami_base_dir }}/.env"
    owner: root
    group: root
    mode: "0640"
  notify: Restart umami stack

- name: Render docker-compose.yml
  become: true
  ansible.builtin.template:
    src: docker-compose.yml.j2
    dest: "{{ umami_base_dir }}/docker-compose.yml"
    owner: root
    group: root
    mode: "0644"
  notify: Restart umami stack

- name: Ensure Umami stack is running
  become: true
  community.docker.docker_compose_v2:
    project_src: "{{ umami_base_dir }}"
    project_name: "{{ umami_compose_project_name }}"
    state: present
    pull: "{{ umami_compose_pull }}"
    recreate: "{{ umami_compose_recreate }}"
  register: umami_compose_result

- name: Display docker compose changes
  ansible.builtin.debug:
    var: umami_compose_result
  when: umami_compose_result is defined