---

- name: Generate self-signed certificate
  import_tasks: ../includes/create_selfsigned_cert.yml
  vars:
    cert_path: "{{ vault_root_dir }}/tls/vault.crt"
    cert_key_path: "{{ vault_root_dir }}/tls/vault.key"
    cert_key_group: "{{ vault_user }}"
    cert_key_mode: 640
  tags: vault

- name: Deploy vault configuration
  template:
    src: vault.hcl.j2
    dest: "{{ vault_root_dir }}/etc/vault.hcl"
    owner: "{{ vault_user }}"
    group: "{{ vault_user }}"
    mode: 0400
  notify: restart vault
  tags: vault

- name: Ensure correct permission on vault private key
  file: path={{ vault_root_dir }}/tls/vault.key mode=640 owner=root group={{ vault_user }}
  tags: vault

- name: Setup logrotate
  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/vault
  tags: vault

- when: vault_secrets.nomad.enabled
  block:

    - name: Deploy the consul-template conf
      template: src=consul-template.hcl.j2 dest={{ vault_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
      notify: restart consul-template-vault

    - name: Deploy Nomad certificate bundle template
      template: src=nomad_client_bundle.pem.tpl.j2 dest={{ vault_root_dir }}/consul-template/nomad_client_bundle.pem.tpl
      notify: restart consul-template-vault

    - name: Deploy the update cert hook
      template: src=update_nomad_cert.j2 dest={{ vault_root_dir }}/bin/update_nomad_cert mode=755
      notify: restart consul-template-vault

  tags: vault