---
## TODO: add storage handling!
- set_fact:
    whawty_auth_instance_basepath: "/srv/whawty/{{ whawty_auth_instance }}"
##

## TODO: custom user

- name: create instance directories
  loop:
  - config
  - store
  file:
    path: "{{ whawty_auth_instance_basepath }}/{{ item }}"
    state: directory

- name: generate store config
  template:
    src: store.yml.j2
    dest: "{{ whawty_auth_instance_basepath }}/config/store.yml"
    mode: 0400

- name: set up tls config
  when: "'tls' in whawty_auth_instances[whawty_auth_instance]"
  block:
  - name: create tls directory
    file:
      path: "{{ whawty_auth_instance_basepath }}/config/tls"
      state: directory
      mode: 0400

  - name: generate/install/fetch TLS certificate
    vars:
      x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}"
      x509_certificate_hostnames: "{{ whawty_auth_instances[whawty_auth_instance].hostnames }}"
      x509_certificate_renewal:
        install:
        - dest: "{{ whawty_auth_instance_basepath }}/config/tls/cert.pem"
          src:
          - fullchain
          mode: "0400"
        - dest: "{{ whawty_auth_instance_basepath }}/config/tls/key.pem"
          src:
          - key
          mode: "0400"
        reload: |
          pod_id=$(crictl pods -q --state ready --name "^whawty-auth-{{ whawty_auth_instance }}-{{ ansible_nodename }}$")
          [ -n "$pod_id" ] || exit 0
          container_id=$(crictl ps -q --name '^app$' -p "$pod_id")
          [ -n "$container_id" ] || exit 0
          crictl stop "$container_id"
    include_role:
      name: "x509/{{ whawty_auth_instances[whawty_auth_instance].tls.certificate_provider }}/cert"

  - name: generate store config
    template:
      src: web.yml.j2
      dest: "{{ whawty_auth_instance_basepath }}/config/web.yml"
      mode: 0400

- name: set up sync config
  when: "'sync' in whawty_auth_instances[whawty_auth_instance]"
  block:
  - name: create sync directory
    file:
      path: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd"
      state: directory

  - name: generate sync config
    template:
      src: sync.toml.j2
      dest: "{{ whawty_auth_instance_basepath }}/sync/config.toml"

  - name: generate authorized_keys for sync
    copy:
      content: "{{ whawty_auth_instances[whawty_auth_instance].sync.authorized_keys | join('\n') }}\n"
      dest: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys"

  - name: generate ssh host key for sync
    command: "ssh-keygen -q -t ed25519 -f '{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key' -C '' -N ''"
    args:
      creates: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key"

- name: install pod manifest
  vars:
    whawty_auth_instance_config_hash_items__yaml: |
      - path: "{{ whawty_auth_instance_basepath }}/config/store.yml"
      {% if 'tls' in whawty_auth_instances[whawty_auth_instance] %}
      - path: "{{ whawty_auth_instance_basepath }}/config/web.yml"
      {% endif %}
      {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %}
      - path: "{{ whawty_auth_instance_basepath }}/sync/config.toml"
      - path: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys"
      - path: "{{ whawty_auth_instance_basepath }}/sync/gokr-rsyncd/ssh_host_ed25519_key"
      {% endif %}
    kubernetes_standalone_pod:
      name: "whawty-auth-{{ whawty_auth_instance }}"
      spec: "{{ lookup('template', 'pod-spec.yml.j2') }}"
      config_hash_items: "{{ whawty_auth_instance_config_hash_items__yaml | from_yaml }}"
  include_role:
    name: kubernetes/standalone/pod