- name: Run registry container
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Creates directory for certs
      ansible.builtin.file:
        path: "{{playbook_dir}}/certs"
        state: directory

    - name: Creates directory for data, will be mounted on the container and used for the registry store
      ansible.builtin.file:
        path: "{{playbook_dir}}/data"
        state: directory

    - name: Creates directory for auth (htpasswd)
      ansible.builtin.file:
        path: "{{playbook_dir}}/auth"
        state: directory

    - name: Create auth file
      community.general.htpasswd:
        path: "{{playbook_dir}}/auth/htpasswd"
        name: admin
        password: admin
        hash_scheme: bcrypt

    - name: Create private key (RSA, 4096 bits)
      community.crypto.openssl_privatekey:
        path: "{{playbook_dir}}/certs/domain.key"

    - name: Create certificate signing request (CSR) for self-signed certificate
      community.crypto.openssl_csr_pipe:
        privatekey_path: "{{playbook_dir}}/certs/domain.key"
        common_name: tiptop
        organization_name: MyOwnVerySelf
        subject_alt_name:
          - "DNS:tiptop"
      register: ca_csr

    - name: Create self-signed certificate from CSR
      community.crypto.x509_certificate:
        path: "{{playbook_dir}}/certs/domain.crt"
        csr_content: "{{ ca_csr.csr }}"
        privatekey_path: "{{playbook_dir}}/certs/domain.key"
        provider: selfsigned

    - name: Build container
      containers.podman.podman_image:
        name: myregistry
        state: build
        build:
          format: oci
          container_file: |-
            FROM docker.io/library/registry:latest
            ENV REGISTRY_COMPATIBILITY_SCHEMA1_ENABLED true
            ENV REGISTRY_AUTH htpasswd
            ENV REGISTRY_AUTH_HTPASSWD_REALM "Registry Realm"
            ENV REGISTRY_AUTH_HTPASSWD_PATH /auth/htpasswd
            ENV REGISTRY_HTTP_TLS_CERTIFICATE /certs/domain.crt
            ENV REGISTRY_HTTP_TLS_KEY /certs/domain.key
            EXPOSE 5000

    - name: Install quadlet
      containers.podman.podman_container:
        name: myregistry
        state: quadlet
        image: localhost/myregistry:latest
        volumes:
          - "{{playbook_dir}}/certs:/certs:z"
          - "{{playbook_dir}}/data:/var/lib/registry:z"
          - "{{playbook_dir}}/auth:/auth:z"
        ports:
          - 5000:5000
        quadlet_options:
          - |
            [Install]
            WantedBy=default.target

    - name: Reload systemd
      ansible.builtin.systemd_service:
        daemon_reload: true
        scope: user

    - name: Start container
      ansible.builtin.systemd_service:
        scope: user
        name: myregistry.service
        state: started