---
- name: check if acme_client is set to acmetool
  assert:
    msg: "this role currently only works with acmetool"
    that:
    - acme_client == "acmetool"

- name: add group for coturn
  group:
    name: coturn
    gid: "{{ coturn_gid }}"

- name: add user for coturn
  user:
    name: coturn
    uid: "{{ coturn_uid }}"
    group: coturn
    password: "!"

- name: create coturn config subdirectory
  file:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config"
    state: directory

- name: create coturn config
  template:
    src: turnserver.conf.j2
    dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf"
    group: coturn
    mode: 0640

- name: create coturn ssl subdirectory
  file:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl"
    state: directory
    owner: root
    group: coturn
    mode: 0750

- name: generate Diffie-Hellman parameters
  openssl_dhparam:
    path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/dhparams.pem"
    size: "{{ coturn_dhparam_size }}"
    owner: root
    group: coturn
    mode: 0644

- name: install acmetool hook script
  template:
    src: acmetool-reload.sh.j2
    dest: "/etc/acme/hooks/coturn-{{ coturn_realm }}"
    mode: 0755

- name: install acmetool systemd unit snippet
  copy:
    dest: "/etc/systemd/system/acmetool.service.d/coturn-{{ coturn_realm }}.conf"
    content: |
      [Service]
      ReadWritePaths={{ coturn_base_path }}/{{ coturn_realm }}/config/ssl
  register: coturn_acmetool_snippet

- name: reload systemd
  when: coturn_acmetool_snippet is changed
  systemd:
    daemon_reload: yes

- name: configure nginx vhost
  when: coturn_install_nginx_vhost
  vars:
    nginx_vhost:
      name: "coturn-{{ coturn_realm }}"
      template: generic
      tls:
        certificate_provider: acmetool
      hostnames: "{{ coturn_hostnames }}"
      locations:
        '/':
          return: "404"
  include_role:
    name: nginx/vhost

- name: get certificate using acmetool
  when: not coturn_install_nginx_vhost
  import_role:
    name: x509/acmetool/cert
  vars:
    acmetool_cert_name: "coturn-{{ coturn_realm }}"
    acmetool_cert_hostnames: "{{ coturn_hostnames }}"

- name: install pod manifest
  vars:
    kubernetes_standalone_pod:
      name: "coturn-{{ coturn_realm }}"
      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
      mode: "0600"
      config_hash_items:
      - path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf"
        properties:
        - checksum
  include_role:
    name: kubernetes/standalone/pod