blumeops/ansible/roles/devpi/tasks/main.yml

---
# Note: devpi is installed via mise (pipx/uvx), not managed here.
#
# ONE-TIME SETUP (before running ansible):
#
# 1. Add to ~/.config/mise/config.toml on indri:
#
#    [tools]
#    "pipx:devpi-server" = { version = "latest", uvx = "true", uvx_args = "--with devpi-web" }
#    "pipx:devpi-client" = { version = "latest", uvx = "true" }
#
# 2. Install: mise install
#
# 3. Initialize with root password (generate password in 1password):
#    mise x -- devpi-init --serverdir {{ devpi_serverdir }} --root-passwd YOUR_PASSWORD
#
# 4. Run ansible to deploy LaunchAgent
#
# 5. Set up Tailscale service (see management log)

- name: Ensure devpi data directory exists
  ansible.builtin.file:
    path: "{{ devpi_serverdir }}"
    state: directory
    mode: '0755'

- name: Generate devpi secret file if not exists
  ansible.builtin.shell: |
    openssl rand -hex 32 > "{{ devpi_secretfile }}"
  args:
    creates: "{{ devpi_secretfile }}"

- name: Ensure devpi secret file has secure permissions
  ansible.builtin.file:
    path: "{{ devpi_secretfile }}"
    mode: '0600'

- name: Deploy devpi LaunchAgent plist
  ansible.builtin.template:
    src: devpi.plist.j2
    dest: ~/Library/LaunchAgents/mcquack.eblume.devpi.plist
    mode: '0644'
  notify: Reload devpi

- name: Check if devpi LaunchAgent is loaded
  ansible.builtin.command: launchctl list mcquack.eblume.devpi
  register: devpi_launchctl_check
  changed_when: false
  failed_when: false

- name: Load devpi LaunchAgent if not loaded
  ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.devpi.plist
  when: devpi_launchctl_check.rc != 0
  changed_when: true
  failed_when: false