---
- name: Check if Keycloak is already installed
  stat:
    path: /opt/keycloak/bin/kcadm.sh
  register: keycloak_installed

- name: Download Keycloak if not already present
  unarchive:
    src: "https://github.com/keycloak/keycloak/releases/download/{{ keycloak_version }}/keycloak-{{ keycloak_version }}.tar.gz"
    dest: /opt/
    remote_src: yes
  when: not keycloak_installed.stat.exists

- name: Rename keycloak directory
  command: mv /opt/keycloak-{{ keycloak_version }} /opt/keycloak
  args:
    creates: /opt/keycloak/bin/kcadm.sh
  when: not keycloak_installed.stat.exists

- name: Set executable permissions on kcadm.sh
  file:
    path: /opt/keycloak/bin/kcadm.sh
    mode: '0755'
  when: not keycloak_installed.stat.exists

- name: Log in to Keycloak Admin CLI
  command: >
    /opt/keycloak/bin/kcadm.sh config credentials
    --server http://localhost:8080
    --realm master
    --user {{ keycloak_admin_user }}
    --password {{ keycloak_admin_password }}
  environment:
    KC_HOME: /opt/keycloak
  register: kcadm_login
  changed_when: false

- name: Create OpenCMMC realm
  command: >
    /opt/keycloak/bin/kcadm.sh create realms
    -s realm=OpenCMMC -s enabled=true
  environment:
    KC_HOME: /opt/keycloak
  when: kcadm_login is succeeded

- name: Create groups
  loop:
    - Access_CUI
    - Access_FCI
    - Access_Proprietary
  command: >
    /opt/keycloak/bin/kcadm.sh create groups -r OpenCMMC -s name={{ item }}
  environment:
    KC_HOME: /opt/keycloak
  when: kcadm_login is succeeded

- name: Create OIDC client for Mailcow
  command: >
    /opt/keycloak/bin/kcadm.sh create clients -r OpenCMMC
    -s clientId=mailcow
    -s enabled=true
    -s protocol=openid-connect
    -s publicClient=false
    -s 'redirectUris=["https://mail.yourdomain.com/*"]'
  environment:
    KC_HOME: /opt/keycloak
  when: kcadm_login is succeeded

- name: Create SAML client for Nextcloud
  command: >
    /opt/keycloak/bin/kcadm.sh create clients -r OpenCMMC
    -s clientId=nextcloud
    -s enabled=true
    -s protocol=saml
    -s 'redirectUris=["https://nextcloud.yourdomain.com/*"]'
    -s 'attributes.saml.assertion.signature=true'
    -s 'attributes.saml.force.post.binding=true'
  environment:
    KC_HOME: /opt/keycloak
  when: kcadm_login is succeeded