---
- name: prepare storage volume
  vars:
    storage_volume: "{{ onlyoffice_instances[onlyoffice_instance].storage }}"
  include_role:
    name: "storage/{{ onlyoffice_instances[onlyoffice_instance].storage.type }}/volume"

- set_fact:
    onlyoffice_instance_basepath: "{{ storage_volume_mountpoint }}"

- name: create onlyoffice database subdirectory
  file:
    path: "{{ onlyoffice_instance_basepath }}/postgres"
    state: directory

- name: create onlyoffice tls subdirectory
  file:
    path: "{{ onlyoffice_instance_basepath }}/tls"
    state: directory
    mode: 0700

- name: generate/install TLS certificates for publishment
  vars:
    x509_certificate_name: "onlyoffice-{{ onlyoffice_instance }}_publish"
    x509_certificate_hostnames: []
    x509_certificate_config:
      ca: "{{ onlyoffice_instances[onlyoffice_instance].publish.zone.certificate_ca_config }}"
      cert:
        common_name: "onlyoffice-{{ onlyoffice_instance }}.{{ inventory_hostname }}"
        extended_key_usage:
        - serverAuth
        extended_key_usage_critical: yes
        create_subject_key_identifier: yes
        not_after: +100w
    x509_certificate_renewal:
      install:
      - dest: "{{ onlyoffice_instance_basepath }}/tls/onlyoffice.crt"
        src:
        - cert
        mode: "0400"
      - dest: "{{ onlyoffice_instance_basepath }}/tls/onlyoffice.key"
        src:
        - key
        mode: "0400"
  include_role:
    name: "x509/{{ onlyoffice_instances[onlyoffice_instance].publish.zone.certificate_provider }}/cert"

- name: install pod manifest
  vars:
    kubernetes_standalone_pod:
      name: "onlyoffice-{{ onlyoffice_instance }}"
      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
      mode: "0600"
  include_role:
    name: kubernetes/standalone/pod

- name: configure nginx vhost for publishment
  vars:
    nginx_vhost__yaml: |
      name: "onlyoffice-{{ onlyoffice_instance }}.{{ inventory_hostname }}"
      template: generic
      {% if 'tls' in onlyoffice_instances[onlyoffice_instance].publish %}
      tls:
        {{ onlyoffice_instances[onlyoffice_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }}
      {% endif %}
      hostnames:
      {% for hostname in onlyoffice_instances[onlyoffice_instance].publish.hostnames %}
      - {{ hostname }}
      {% endfor %}
      locations:
        '/':
      {% if onlyoffice_instances[onlyoffice_instance].publish.zone.publisher == inventory_hostname %}
          proxy_pass: "https://127.0.0.1:{{ onlyoffice_instances[onlyoffice_instance].port }}"
      {% else %}
          proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ onlyoffice_instances[onlyoffice_instance].port }}"
      {% endif %}
          proxy_ssl:
            trusted_certificate: "/etc/ssl/apps-publish-{{ onlyoffice_instances[onlyoffice_instance].publish.zone.name }}/apps-publish-{{ onlyoffice_instances[onlyoffice_instance].publish.zone.name }}-ca-crt.pem"
            verify: "on"
            name: "onlyoffice-{{ onlyoffice_instance }}.{{ inventory_hostname }}"
            protocols: "TLSv1.2 TLSv1.3"
          extra_directives: |-
            client_max_body_size 0;
    nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}"
  include_role:
    name: nginx/vhost
    apply:
      delegate_to: "{{ onlyoffice_instances[onlyoffice_instance].publish.zone.publisher }}"