---

# Ensure certificates exists. This is needed so first consul service starts doesn't fail
# when consul-template hasn't populated the cert yet
- name: Generate self-signed certificate
  import_tasks: ../includes/create_selfsigned_cert.yml
  vars:
    cert_path: "{{ consul_conf.tls.defaults.cert_file }}"
    cert_key_path: "{{ consul_conf.tls.defaults.key_file }}"
    cert_key_group: "{{ consul_user }}"
    cert_key_mode: 640
  tags: consul

- name: Check if CA exists
  stat: path={{ consul_conf.tls.defaults.ca_file }}
  register: consul_ca_file
  tags: consul

- name: Copy cert as CA
  copy: src={{ consul_conf.tls.defaults.cert_file }} dest={{ consul_conf.tls.defaults.ca_file }} remote_src=True
  when: not consul_ca_file.stat.exists
  tags: consul

- name: Deploy consul configuration
  block:
    - name: Deploy consul configuration
      template:
        src: consul.hcl.j2
        dest: "{{ consul_root_dir }}/etc/consul.hcl"
        owner: root
        group: "{{ consul_user }}"
        mode: 0640
        backup: True
      register: consul_main_conf
      notify: restart consul

    - name: Deploy consul reloadable configuration
      template:
        src: reload.hcl.j2
        dest: "{{ consul_root_dir }}/etc/reload.hcl"
        owner: root
        group: "{{ consul_user }}"
        mode: 0640
        backup: True
      register: consul_reload_conf
      notify: reload consul

    - name: Validate configuration
      command: consul validate {{ consul_root_dir }}/etc
      changed_when: False
      become_user: "{{ consul_user }}"
      register: consul_conf_validation

  rescue:
    - block:
        - name: Restore main configuration
          copy:
            src: "{{ consul_main_conf.backup_file }}"
            dest: "{{ consul_root_dir }}/etc/consul.hcl"
            remote_src: True
            owner: root
            group: "{{ consul_user }}"
            mode: 0640
          when: consul_main_conf.backup_file is defined
  
        - name: Restore reloadable configuration
          copy:
            src: "{{ consul_reload_conf.backup_file }}"
            dest: "{{ consul_root_dir }}/etc/reload.hcl"
            remote_src: True
            owner: root
            group: "{{ consul_user }}"
            mode: 0640
          when: consul_reload_conf.backup_file is defined

  tags: consul

- name: Fail if configuration validation failed
  fail:
    msg: "Failed to validate configuration: {{ consul_conf_validation.stdout }}"
  when: consul_conf_validation.rc != 0
  tags: consul

# Now we remove the backup config to prevent consul warning about invalid config files
- name: List backup conf
  shell: ls -1 {{ consul_root_dir }}/etc/*.hcl.*
  failed_when: False
  changed_when: False
  register: consul_backup_configs
  tags: consul

- name: Remove backup configs
  file: path={{ item }} state=absent
  loop: "{{ consul_backup_configs.stdout_lines }}"
  tags: consul

- name: Deploy consul-template config
  template: src=consul-template.hcl.j2 dest={{ consul_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
  notify: restart consul-template-consul
  when: consul_vault_secrets.pki.enabled or consul_vault_secrets.tokens.enabled
  tags: consul

- name: Deploy agent bundle template
  template: src=agent_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root
  notify: restart consul-template-consul
  when: consul_vault_secrets.pki.enabled
  tags: consul

- name: Deploy consul-template cli bundle template
  template: src=cli_bundle.pem.tpl.j2 dest={{ consul_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root
  notify: restart consul-template-consul
  when: consul_vault_secrets.pki.enabled and consul_conf.server
  tags: consul

- name: Deploy the consul-template agent token template
  template: src=agent.token.tpl.j2 dest={{ consul_root_dir }}/consul-template/agent.token.tpl owner=root group=root
  notify: restart consul-template-consul
  when: consul_vault_secrets.tokens.enabled
  tags: consul

- name: Set ACL on the TLS dir
  shell: |
    setfacl -R -b -k {{ consul_root_dir }}/tls
    {% if consul_admin_groups | length > 0 %}
    setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
    setfacl -m {% for group in consul_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls
    setfacl -m {% for group in consul_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ consul_root_dir }}/tls/*
    {% endif %}
  changed_when: False
  failed_when: False # Do not fail if eg, the FS doesn't support ACL
  tags: consul

- name: Deploy profile script
  template: src=profile.sh.j2 dest=/etc/profile.d/consul.sh
  tags: consul