---
- name: Configure Mosquitto
  template:
    dest: /etc/mosquitto/conf.d/default.conf
    src: templates/default.conf.j2
    owner: mosquitto
    group: root
    mode: 0660
    backup: yes
  notify: Restart Mosquitto

# - name: Ensure Mosquitto doesn't allow anonymous access
#   ansible.builtin.lineinfile:
#     path: /etc/mosquitto/conf.d/default.conf
#     regexp: '^allow_anonymous '
#     line: 'allow_anonymous false'
#     owner: mosquitto
#     group: root
#     mode: 0660
#     create: yes
#     backup: yes
#   notify: Restart Mosquitto

# - name: Ensure Mosquitto log to standard output (journald)
#   ansible.builtin.lineinfile:
#     path: /etc/mosquitto/conf.d/default.conf
#     regexp: '^log_dest stdout'
#     line: 'log_dest stdout'
#     owner: mosquitto
#     group: root
#     mode: 0660
#     create: yes
#     backup: yes
#   notify: Restart Mosquitto

- name: Ensure password file for Mosquitto exists
  template:
    dest: "{{ mosquitto_config['password_file'] | default('/etc/mosquitto/passwd')}}"
    src: templates/mosquitto_passwd.j2
    owner: mosquitto
    group: root
    mode: 0660
    backup: yes
  notify: Restart Mosquitto

- name: Ensure PID file for Mosquitto exists
  file:
    path: "{{ mosquitto_config['pid_file'] | default('/var/run/mosquitto.pid')}}"
    state: touch
    owner: mosquitto
    mode: 0660

# - name: Ensure Mosquitto use password file
#   ansible.builtin.lineinfile:
#     path: /etc/mosquitto/conf.d/default.conf
#     regexp: '^password_file '
#     line: 'password_file  /etc/mosquitto/passwd'
#     owner: mosquitto
#     group: root
#     mode: 0660
#     create: yes
#     backup: yes
#   notify: Restart Mosquitto

- name: Ensure Mosquitto port is accessible
  ufw:
    rule: allow
    port: "{{ item.port }}"
  when:
    - open_ufw_to_mosquitto
    - item.port != 0
  loop: "{{ mosquitto_listeners }}"