---
- name: Create trojan service user
  ansible.builtin.user:
    name: "{{ trojan_user }}"
    system: yes
    shell: /usr/sbin/nologin
    create_home: no

- name: Create trojan config directory
  ansible.builtin.file:
    path: "{{ trojan_config_path | dirname }}"
    state: directory
    owner: "{{ trojan_user }}"
    group: "{{ trojan_user }}"
    mode: "0750"

- name: Download trojan-go binary
  ansible.builtin.get_url:
    url: "https://github.com/p4gefau1t/trojan-go/releases/download/v{{ trojan_version }}/trojan-go-linux-amd64.zip"
    dest: /tmp/trojan-go.zip
    mode: "0644"

- name: Create extraction directory
  ansible.builtin.file:
    path: /tmp/trojan-go-extract/
    state: directory
    mode: "0755"

- name: Extract trojan-go binary
  ansible.builtin.unarchive:
    src: /tmp/trojan-go.zip
    dest: /tmp/trojan-go-extract/
    remote_src: yes
    creates: /tmp/trojan-go-extract/trojan-go

- name: Install trojan-go binary
  ansible.builtin.copy:
    src: /tmp/trojan-go-extract/trojan-go
    dest: "{{ trojan_bin_path }}"
    remote_src: yes
    owner: root
    group: root
    mode: "0755"
  notify: restart trojan

- name: Grant CAP_NET_BIND_SERVICE to trojan-go
  community.general.capabilities:
    path: "{{ trojan_bin_path }}"
    capability: cap_net_bind_service=+ep
    state: present

- name: Clean up downloaded archive
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /tmp/trojan-go.zip
    - /tmp/trojan-go-extract

- name: Install certbot
  ansible.builtin.apt:
    name:
      - certbot
    state: present

- name: Obtain Let's Encrypt certificate
  ansible.builtin.command:
    cmd: >
      certbot certonly --standalone
      --non-interactive --agree-tos
      --email {{ certbot_email }}
      -d {{ trojan_domain }}
    creates: "/etc/letsencrypt/live/{{ trojan_domain }}/fullchain.pem"

- name: Grant trojan user read access to TLS certificates
  ansible.builtin.file:
    path: /etc/letsencrypt
    state: directory
    mode: "0755"

- name: Ensure live directory is accessible
  ansible.builtin.file:
    path: "/etc/letsencrypt/live/{{ trojan_domain }}"
    state: directory
    mode: "0755"

- name: Ensure archive directory is accessible
  ansible.builtin.file:
    path: "/etc/letsencrypt/archive/{{ trojan_domain }}"
    state: directory
    mode: "0755"

- name: Deploy certbot renewal hook for trojan
  ansible.builtin.copy:
    dest: /etc/letsencrypt/renewal-hooks/post/restart-trojan.sh
    content: |
      #!/bin/bash
      systemctl reload trojan-go
    owner: root
    group: root
    mode: "0755"

- name: Deploy trojan-go configuration
  ansible.builtin.template:
    src: trojan-config.json.j2
    dest: "{{ trojan_config_path }}"
    owner: "{{ trojan_user }}"
    group: "{{ trojan_user }}"
    mode: "0640"
  notify: restart trojan

- name: Deploy trojan-go systemd unit
  ansible.builtin.template:
    src: trojan.service.j2
    dest: /etc/systemd/system/trojan-go.service
    owner: root
    group: root
    mode: "0644"
  notify: restart trojan

- name: Enable and start trojan-go service
  ansible.builtin.systemd:
    name: trojan-go
    daemon_reload: yes
    enabled: yes
    state: started

- name: Enable certbot auto-renewal timer
  ansible.builtin.systemd:
    name: certbot.timer
    enabled: yes
    state: started