- name: "Set up a self-hosted server"
  hosts: "{{ target if target is defined else 'mash_servers' }}"
  become: true

  roles:
    # This role has no tasks at all
    - role: galaxy/com.devture.ansible.role.playbook_help

    # This role has no tasks at all
    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - when: mash_playbook_docker_installation_enabled | bool
      role: galaxy/geerlingguy.docker
      vars:
        docker_install_compose: false
      tags:
        - setup-docker
        - setup-all
        - install-docker
        - install-all

    - when: devture_docker_sdk_for_python_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.docker_sdk_for_python
      tags:
        - setup-docker
        - setup-all
        - install-docker
        - install-all

    - when: devture_timesync_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.timesync
      tags:
        - setup-timesync
        - setup-all
        - install-timesync
        - install-all

    - role: mash/playbook_base

    - role: galaxy/swap

    - when: system_security_ssh_enabled | bool
      role: galaxy/ssh

    - when: system_security_fail2ban_enabled | bool
      role: galaxy/fail2ban

    # This role exposes various tags (setup-postgres, setup-all, upgrade-postgres, import-postgres, etc.), so we don't tag it here.
    - role: galaxy/com.devture.ansible.role.postgres

    - role: galaxy/com.devture.ansible.role.postgres_backup

    - role: galaxy/com.devture.ansible.role.container_socket_proxy

    - role: galaxy/com.devture.ansible.role.traefik

    - role: galaxy/adguard_home

    - role: galaxy/collabora_online

    - role: galaxy/docker_registry
    - role: galaxy/docker_registry_browser
    - role: galaxy/docker_registry_purger

    - role: galaxy/firezone

    - role: galaxy/focalboard

    - role: galaxy/gitea

    - role: galaxy/grafana

    - role: galaxy/miniflux

    - role: galaxy/hubsite

    - role: galaxy/nextcloud

    - role: galaxy/peertube

    - role: galaxy/prometheus
    - role: galaxy/prometheus_node_exporter
    - role: galaxy/prometheus_blackbox_exporter

    - role: galaxy/radicale

    - role: galaxy/redmine

    - role: galaxy/redis

    - role: galaxy/syncthing

    - role: galaxy/vaultwarden

    - role: galaxy/uptime_kuma

    - role: galaxy/com.devture.ansible.role.woodpecker_ci_server
    - role: galaxy/com.devture.ansible.role.woodpecker_ci_agent

    - role: galaxy/aux

    - when: devture_systemd_service_manager_enabled | bool
      role: galaxy/com.devture.ansible.role.systemd_service_manager

    # This is pretty much last, because we want it to better serve as a "last known good configuration".
    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
    - when: devture_playbook_state_preserver_enabled | bool
      role: galaxy/com.devture.ansible.role.playbook_state_preserver
      tags:
        - setup-all
        - install-all

    - role: galaxy/com.devture.ansible.role.playbook_runtime_messages