---
- name: Provision Twirre server
  hosts: twirre_servers
  become: true

  pre_tasks:
    - name: Validate Bun application definitions
      ansible.builtin.assert:
        that:
          - bun_apps is iterable
          - bun_apps | length > 0
        fail_msg: Define at least one Bun application in bun_apps.
      when: bun_enabled | bool

    - name: Validate WireGuard configuration when enabled
      ansible.builtin.assert:
        that:
          - wireguard_interface.address | length > 0
          - wireguard_interface.private_key | length > 0
        fail_msg: WireGuard is enabled but the interface address or private key is missing.
      when: wireguard_enabled | bool

  roles:
    - role: base
    - role: ssh
    - role: backupagent
      when: backupagent_enabled | bool
    - role: docker
      when: docker_enabled | bool
    - role: bun
      when: bun_enabled | bool
    - role: fail2ban
      when: fail2ban_enabled | bool
    - role: wireguard
      when: wireguard_enabled | bool
    - role: gitea
      when: gitea_enabled | bool
    - role: mailserver
      when: mailserver_enabled | bool
    - role: bun_app
      loop: "{{ bun_apps }}"
      loop_control:
        loop_var: bun_app
        label: "{{ bun_app.name }}"
      when: bun_enabled | bool
    - role: nginx
      when: nginx_enabled | bool
    - role: certbot
      when: certbot_enabled | bool