---
- name: add group for mumble
  group:
    name: mumble
    gid: "{{ mumble_gid }}"

- name: add user for mumble
  user:
    name: mumble
    uid: "{{ mumble_uid }}"
    group: mumble
    password: "!"

- name: create mumble ssl subdirectory
  file:
    path: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl"
    state: directory
    owner: root
    group: mumble
    mode: 0750

- name: generate Diffie-Hellman parameters
  openssl_dhparam:
    path: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/dhparams.pem"
    size: "{{ mumble_dhparam_size }}"
    owner: root
    group: mumble
    mode: 0644

- name: generate/install/fetch TLS certificate
  vars:
    x509_certificate_name: "mumble-{{ mumble_instance }}"
    x509_certificate_hostnames: "{{ mumble_hostnames }}"
    x509_certificate_renewal:
      install:
      - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/cert.pem"
        src:
        - fullchain
        owner: root
        group: mumble
        mode: "0644"
      - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/privkey.pem"
        src:
        - key
        owner: root
        group: mumble
        mode: "0640"
      reload: |
        pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$")
        [ -n "$pod_id" ] || exit 42
        container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id")
        [ -n "$container_id" ] || exit 42
        crictl exec "$container_id" kill -USR1 1
  include_role:
    name: "x509/{{ mumble_tls.certificate_provider }}/cert"

- name: create mumble data directory
  file:
    path: "{{ mumble_base_path }}/{{ mumble_instance }}/data"
    state: directory
    owner: mumble
    group: mumble
    mode: 0750

- name: install pod manifest
  vars:
    kubernetes_standalone_pod:
      name: "mumble-{{ mumble_instance }}"
      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
      mode: "0600"
  include_role:
    name: kubernetes/standalone/pod