---
- name: add group for coturn
  group:
    name: coturn
    gid: "{{ coturn_gid }}"

- name: add user for coturn
  user:
    name: coturn
    uid: "{{ coturn_uid }}"
    group: coturn
    password: "!"

- name: create coturn config subdirectory
  file:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config"
    state: directory

- name: create coturn config
  template:
    src: turnserver.conf.j2
    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf"
    group: coturn
    mode: 0640

- name: create coturn ssl subdirectory
  file:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl"
    state: directory
    owner: root
    group: coturn
    mode: 0750

- name: generate Diffie-Hellman parameters
  openssl_dhparam:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/dhparams.pem"
    size: "{{ coturn_dhparam_size }}"
    owner: root
    group: coturn
    mode: 0644

- name: compute certificate renewal config
  set_fact:
    coturn_certificate_renewal:
      install:
      - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/cert.pem"
        src:
        - fullchain
        owner: root
        group: coturn
        mode: "0644"
      - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/privkey.pem"
        src:
        - key
        owner: root
        group: coturn
        mode: "0640"
      reload: |
        pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$")
        [ -n "$pod_id" ] || exit 42
        container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id")
        [ -n "$container_id" ] || exit 42
        crictl stop "$container_id"

- name: configure nginx vhost
  when: coturn_install_nginx_vhost
  vars:
    nginx_vhost:
      name: "coturn-{{ coturn_realm }}"
      template: generic
      tls: "{{ coturn_tls }}"
      hostnames: "{{ coturn_hostnames }}"
      locations:
        '/':
          return: "404"
    x509_certificate_renewal: "{{ coturn_certificate_renewal }}"
  include_role:
    name: nginx/vhost

- name: generate/install/fetch TLS certificate
  when: not coturn_install_nginx_vhost
  vars:
    x509_certificate_name: "coturn-{{ coturn_realm }}"
    x509_certificate_hostnames: "{{ coturn_hostnames }}"
    x509_certificate_renewal: "{{ coturn_certificate_renewal }}"
  include_role:
    name: "x509/{{ coturn_tls.certificate_provider }}/cert"

- name: install pod manifest
  vars:
    kubernetes_standalone_pod:
      name: "coturn-{{ coturn_realm }}"
      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
      mode: "0600"
      config_hash_items:
      - path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf"
        properties:
        - checksum
  include_role:
    name: kubernetes/standalone/pod