---

- name: Generate self-signed certificate
  import_tasks: ../includes/create_selfsigned_cert.yml
  vars:
    cert_path: "{{ nomad_conf.tls.cert_file }}"
    cert_key_path: "{{ nomad_conf.tls.key_file }}"
    cert_key_mode: omit
  tags: nomad

- name: Check if CA exists
  stat: path={{ nomad_conf.tls.ca_file }}
  register: nomad_ca_file
  tags: nomad

- name: Copy cert as CA
  copy: src={{ nomad_conf.tls.cert_file }} dest={{ nomad_conf.tls.ca_file }} remote_src=True
  when: not nomad_ca_file.stat.exists
  tags: nomad

- when: nomad_conf.consul.ca_file is defined
  block:
    - name: Generate self-signed certificate
      import_tasks: ../includes/create_selfsigned_cert.yml
      vars:
        cert_path: "{{ nomad_conf.consul.cert_file }}"
        cert_key_path: "{{ nomad_conf.consul.key_file }}"
        cert_key_mode: omit
      tags: nomad

    - name: Check if CA exists
      stat: path={{ nomad_conf.tls.ca_file }}
      register: nomad_consul_ca_file
  tags: nomad

- name: Copy consul cert as consul CA
  copy: src={{ nomad_conf.consul.cert_file }} dest={{ nomad_conf.consul.ca_file }} remote_src=True
  when: nomad_conf.consul.ca_file is defined and not nomad_consul_ca_file.stat.exists
  tags: nomad

- name: Deploy nomad configuration
  block:
    - name: Deploy nomad configuration
      template:
        src: nomad.hcl.j2
        dest: "{{ nomad_root_dir }}/etc/nomad.hcl"
        owner: root
        group: "{{ nomad_user }}"
        mode: 0640
        backup: True
      register: nomad_main_conf
      notify: restart nomad

    - name: Deploy nomad reloadable configuration
      template:
        src: reload.hcl.j2
        dest: "{{ nomad_root_dir }}/etc/reload.hcl"
        owner: root
        group: "{{ nomad_user }}"
        mode: 0640
        backup: True
      register: nomad_reload_conf
      notify: reload nomad

    - name: Validate configuration
      command: nomad config validate {{ nomad_root_dir }}/etc/nomad.hcl {{ nomad_root_dir }}/etc/reload.hcl
      changed_when: False
      become_user: "{{ nomad_user }}"
      register: nomad_conf_validation

  rescue:
    - block:
        - name: Restore main configuration
          copy:
            src: "{{ nomad_main_conf.backup_file }}"
            dest: "{{ nomad_root_dir }}/etc/nomad.hcl"
            remote_src: True
            owner: root
            group: "{{ nomad_user }}"
            mode: 0640
          when: nomad_main_conf.backup_file is defined
  
        - name: Restore reloadable configuration
          copy:
            src: "{{ nomad_reload_conf.backup_file }}"
            dest: "{{ nomad_root_dir }}/etc/reload.hcl"
            remote_src: True
            owner: root
            group: "{{ nomad_user }}"
            mode: 0640
          when: nomad_reload_conf.backup_file is defined

  tags: nomad

- name: Fail if configuration validation failed
  fail:
    msg: "Failed to validate configuration: {{ nomad_conf_validation.stdout }}"
  when: nomad_conf_validation.rc != 0
  tags: nomad

# Now we remove the backup config to prevent nomad warning about invalid config files
- name: List backup conf
  shell: ls -1 {{ nomad_root_dir }}/etc/*.hcl.*
  failed_when: False
  changed_when: False
  register: nomad_backup_configs
  tags: nomad

- name: Remove backup configs
  file: path={{ item }} state=absent
  loop: "{{ nomad_backup_configs.stdout_lines }}"
  tags: nomad

#- name: Deploy vault-agent config
#  template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }}
#  notify: restart nomad-vault-agent
#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
#  tags: nomad
#
#- name: Deploy agent cert bundle template
#  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
#  notify: restart nomad-vault-agent
#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
#  tags: nomad
#  
#- name: Deploy cli cert bundle template
#  template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root
#  notify: restart nomad-vault-agent
#  when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled
#  tags: nomad
#
#- name: Deploy consul token template
#  template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root
#  notify: restart nomad-vault-agent
#  when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled
#  tags: nomad
#
#- fail: msg="Only one of token or approle should be configured"
#  when:
#    - nomad_vault_agent.auth.approle is defined
#    - nomad_vault_agent.auth.token is defined
#  tags: nomad
#
#- name: Setup AppRole auth
#  block:
#    - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640
#    - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640
#    - file: path={{ nomad_root_dir }}/vault/token state=absent
#  when:
#    - nomad_vault_agent.auth is defined
#    - nomad_vault_agent.auth.approle is defined
#    - nomad_vault_agent.auth.approle.role_id is defined
#    - nomad_vault_agent.auth.approle.secret_id is defined
#  tags: nomad
#
#- name: Setup Token auth
#  block:
#    - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640
#    - file: path={{ nomad_root_dir }}/vault/role_id state=absent
#    - file: path={{ nomad_root_dir }}/vault/secret_id state=absent
#  when:
#    - nomad_vault_agent.auth is defined
#    - nomad_vault_agent.auth.token is defined
#  tags: nomad

- name: Set ACL on the TLS dir
  shell: |
    setfacl -R -b -k {{ nomad_root_dir }}/tls
    chown -R :{{ nomad_user }} {{ nomad_root_dir }}/tls
    chmod 750 {{ nomad_root_dir }}/tls
    chmod 640 {{ nomad_root_dir }}/tls/*
    setfacl -m u:{{ nomad_user }}:rx {{ nomad_root_dir }}/tls
    setfacl -m d:u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls
    setfacl -m u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls/*
    {% if nomad_admin_groups | length > 0 %}
    setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
    setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
    setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls/*
    {% endif %}
  changed_when: False
  failed_when: False # Do not fail if eg, the FS doesn't support ACL
  tags: nomad

- name: Deploy profile script
  template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
  tags: nomad

- name: Ensure the bridge module is loaded
  modprobe: name=bridge state=present
  when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
  tags: nomad

- name: Set sysctl
  sysctl:
    name: "{{ item.key }}"
    value: "{{ item.val }}"
    sysctl_file: /etc/sysctl.d/nomad.conf
    state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
  loop:
    - key: net.bridge.bridge-nf-call-arptables
      val: 1
    - key: net.bridge.bridge-nf-call-ip6tables
      val: 1
    - key: net.bridge.bridge-nf-call-iptables
      val: 1
  tags: nomad

- name: Deploy Docker auth config
  template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600
  tags: nomad