---
# Tworzenie bazy danych i użytkownika dla MailArchiver
# Ta rola uruchamia się TYLKO na primary

- name: Wait for PostgreSQL to be ready
  wait_for:
    path: "/var/run/postgresql/.s.PGSQL.5432"
    timeout: 60

# --- Utworzenie użytkownika mailuser ---
- name: Create mailuser database user
  postgresql_user:
    name: mailuser
    password: "{{ mailuser_password }}"
    role_attr_flags: CREATEDB
    login_unix_socket_directory: /var/run/postgresql
    db: postgres
  become: true
  become_user: postgres

# --- Utworzenie bazy mailarchiver ---
- name: Create mailarchiver database
  postgresql_db:
    name: mailarchiver
    owner: mailuser
    encoding: UTF-8
    lc_collate: en_US.UTF-8
    lc_ctype: en_US.UTF-8
    login_unix_socket_directory: /var/run/postgresql
  become: true
  become_user: postgres

# --- Przyznanie uprawnień ---
- name: Grant privileges on schema public
  postgresql_query:
    db: mailarchiver
    query: |
      GRANT USAGE ON SCHEMA public TO mailuser;
      GRANT CREATE ON SCHEMA public TO mailuser;
    login_unix_socket_directory: /var/run/postgresql
  become: true
  become_user: postgres

# --- Default privileges dla tabel ---
- name: Set default privileges for tables
  postgresql_query:
    db: mailarchiver
    query: |
      ALTER DEFAULT PRIVILEGES IN SCHEMA public
      GRANT ALL ON TABLES TO mailuser;

      ALTER DEFAULT PRIVILEGES IN SCHEMA public
      GRANT ALL ON SEQUENCES TO mailuser;

      ALTER DEFAULT PRIVILEGES IN SCHEMA public
      GRANT ALL ON FUNCTIONS TO mailuser;
    login_unix_socket_directory: /var/run/postgresql
  become: true
  become_user: postgres

# --- Sprawdzenie ---
- name: Verify mailarchiver database creation
  postgresql_query:
    db: mailarchiver
    query: "SELECT datname, pg_database.datdba::regrole FROM pg_database WHERE datname = 'mailarchiver'"
    login_unix_socket_directory: /var/run/postgresql
  become: true
  become_user: postgres
  register: db_verify

- name: Display database info
  debug:
    msg: "Database mailarchiver created: {{ db_verify.query_result }}"

- name: Verify mailuser permissions
  postgresql_query:
    db: mailarchiver
    query: "SELECT * FROM information_schema.role_table_grants WHERE grantee='mailuser' LIMIT 5"
    login_unix_socket_directory: /var/run/postgresql
  become: true
  become_user: postgres
  register: user_perms
  ignore_errors: true

- name: Display user permissions
  debug:
    msg: "Mailuser permissions: {{ user_perms.query_result | default('No permissions yet') }}"