---
- name: prepare storage volume
  vars:
    storage_volume: "{{ whawty_auth_instances[whawty_auth_instance].storage }}"
  include_role:
    name: "storage/{{ whawty_auth_instances[whawty_auth_instance].storage.type }}/volume"

- set_fact:
    whawty_auth_instance_basepath: "{{ storage_volume_mountpoint }}"

- name: create instance config directory
  file:
    path: "{{ whawty_auth_instance_basepath }}/config"
    state: directory

- name: create instance store directory
  file:
    path: "{{ whawty_auth_instance_basepath }}/store"
    state: directory
    owner: app
    mode: 0700

- name: generate store config
  template:
    src: store.yml.j2
    dest: "{{ whawty_auth_instance_basepath }}/config/store.yml"
    mode: 0400
    owner: app

- name: create instance tls directory
  file:
    path: "{{ whawty_auth_instance_basepath }}/tls"
    state: directory
    owner: app
    mode: 0500

- name: generate/install TLS certificates for publishment
  vars:
    x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_publish"
    x509_certificate_hostnames: []
    x509_certificate_config:
      ca: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_ca_config }}"
      cert:
        common_name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}"
        extended_key_usage:
        - serverAuth
        extended_key_usage_critical: yes
        create_subject_key_identifier: yes
        not_after: +100w
    x509_certificate_renewal:
      install:
      - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-crt.pem"
        src:
        - fullchain
        owner: app
        mode: "0444"
      - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-key.pem"
        src:
        - key
        owner: app
        mode: "0400"
  include_role:
    name: "x509/{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_provider }}/cert"

- name: generate app web config
  template:
    src: web.yml.j2
    dest: "{{ whawty_auth_instance_basepath }}/config/web.yml"
    mode: 0400
    owner: app

- name: set up sync config
  when: "'sync' in whawty_auth_instances[whawty_auth_instance]"
  block:
  - name: create sync directory
    file:
      path: "{{ whawty_auth_instance_basepath }}/sync"
      state: directory

  - name: generate sync config files
    loop:
    - group
    - passwd
    - rsyncd.conf
    - sshd_config
    template:
      src: "sync-{{ item }}.j2"
      dest: "{{ whawty_auth_instance_basepath }}/sync/{{ item }}"

  - name: generate authorized_keys for sync
    copy:
      content: "{{ whawty_auth_instances[whawty_auth_instance].sync.authorized_keys | join('\n') }}\n"
      dest: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys"

  - name: generate ssh host key for sync
    command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key' -C '' -N ''"
    args:
      creates: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key"

  - name: fix permissions for ssh host keys
    file:
      path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key"
      owner: app

- name: install pod manifest
  vars:
    whawty_auth_instance_config_hash_items__yaml: |
      - path: "{{ whawty_auth_instance_basepath }}/config/store.yml"
      - path: "{{ whawty_auth_instance_basepath }}/config/web.yml"
      {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
      - path: "{{ whawty_auth_instance_basepath }}/sync/group"
      - path: "{{ whawty_auth_instance_basepath }}/sync/passwd"
      - path: "{{ whawty_auth_instance_basepath }}/sync/rsyncd.conf"
      - path: "{{ whawty_auth_instance_basepath }}/sync/ssh_host_ed25519_key"
      - path: "{{ whawty_auth_instance_basepath }}/sync/sshd_config"
      {% endif %}
    kubernetes_standalone_pod:
      name: "whawty-auth-{{ whawty_auth_instance }}"
      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
      config_hash_items: "{{ whawty_auth_instance_config_hash_items__yaml | from_yaml }}"
  include_role:
    name: kubernetes/standalone/pod

- name: configure nginx vhost for publishment
  vars:
    nginx_vhost__yaml: |
      name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}"
      template: generic
      {% if 'tls' in whawty_auth_instances[whawty_auth_instance].publish %}
      tls:
        {{ whawty_auth_instances[whawty_auth_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }}
      {% endif %}
      hostnames:
      {% for hostname in whawty_auth_instances[whawty_auth_instance].publish.hostnames %}
      - {{ hostname }}
      {% endfor %}
      locations:
        '/':
      {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %}
          proxy_pass: "https://127.0.0.1:{{ whawty_auth_instances[whawty_auth_instance].port }}"
      {% else %}
          proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ whawty_auth_instances[whawty_auth_instance].port }}"
      {% endif %}
          proxy_ssl:
            trusted_certificate: "/etc/ssl/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}-ca-crt.pem"
            verify: "on"
            name: "whawty-auth-{{ whawty_auth_instance }}.{{ inventory_hostname }}"
            protocols: "TLSv1.3"
    nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}"
  include_role:
    name: nginx/vhost
    apply:
      delegate_to: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.publisher }}"