- name: "Create Taiga admin user (idempotent)"
  command: >
    docker compose
    -f {{ TAIGA_DOCKER_COMPOSE_PATH }}
    -f {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}
    run --rm taiga-manage
    createsuperuser --noinput
    --username {{ TAIGA_SUPERUSER_NAME }}
    --email {{ TAIGA_SUPERUSER_EMAIL }}
  args:
    chdir: "{{ docker_compose.directories.instance }}"
  register: taiga_create_admin
  changed_when: taiga_create_admin.rc == 0
  failed_when: >
    taiga_create_admin.rc != 0 and
    ('already taken' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
    ('already exists' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower) and
    ('integrityerror' not in (taiga_create_admin.stdout + taiga_create_admin.stderr) | lower)
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"

- name: "Upsert Taiga admin via manage.py shell"
  command: >
    docker compose
    -f {{ TAIGA_DOCKER_COMPOSE_PATH }}
    -f {{ TAIGA_DOCKER_COMPOSE_INIT_PATH }}
    run --rm
    -e DJANGO_SUPERUSER_PASSWORD={{ TAIGA_SUPERUSER_PASSWORD | quote }}
    taiga-manage
    shell -c
    "from django.contrib.auth import get_user_model; import os; U=get_user_model(); u,created=U.objects.get_or_create(username='{{ TAIGA_SUPERUSER_NAME }}'); changed=bool(created); old=(u.email,u.is_staff,u.is_superuser,u.is_active); u.email='{{ TAIGA_SUPERUSER_EMAIL }}'; u.is_staff=True; u.is_superuser=True; u.is_active=True; changed = changed or old!=(u.email,u.is_staff,u.is_superuser,u.is_active); pwd=os.environ.get('DJANGO_SUPERUSER_PASSWORD'); assert pwd, 'Missing DJANGO_SUPERUSER_PASSWORD'; need_pwd = not u.check_password(pwd); changed = changed or need_pwd; need_pwd and u.set_password(pwd); u.save(); print('CHANGED=1' if changed else 'CHANGED=0')"
  args:
    chdir: "{{ docker_compose.directories.instance }}"
  register: taiga_upsert_admin
  when: taiga_create_admin.rc != 0
  changed_when: "'CHANGED=1' in ((taiga_upsert_admin.stdout | default('')) + (taiga_upsert_admin.stderr | default('')))"
  no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"