---
# APT repository is unreliable, not working when this code was developed, so the zip solution is favored
- name: install required packages
  become: true
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: 3600
    force_apt_get: true
    pkg:
      - gpg
      - curl
      - coreutils

- name: create vault group
  become: true
  ansible.builtin.group:
    name: '{{ hc_vault_runas }}'
    system: true

- name: create vault user
  become: true
  ansible.builtin.user:
    comment: vault dedicated user
    create_home: true
    home: '{{ hc_vault_root_dir }}'
    group: '{{ hc_vault_runas }}'
    name: '{{ hc_vault_runas }}'
    password_lock: true
    shell: '{{ hc_vault_default_shell }}'
    state: present
    system: true
    umask: '{{ hc_vault_default_umask }}'

- name: check HC GPG key is imported
  become: true
  ansible.builtin.command: gpg --list-keys 'HashiCorp Security'
  register: gpg_list_keys
  changed_when: false
  failed_when: false

- name: import and verify HC GPG key
  become: true
  block:
    - name: fetch HC GPG key
      ansible.builtin.get_url:
        url: 'https://www.hashicorp.com/.well-known/pgp-key.txt'
        dest: '{{ tmp_file.path }}/pgp-key.txt'
        mode: '0600'
    - name: import HC GPG key
      ansible.builtin.command: 'gpg --import {{ tmp_file.path }}/pgp-key.txt'
    - name: check GPG key ID
      ansible.builtin.command: "gpg --list-keys 'HashiCorp Security' | grep -iE '{{ hc_vault_gpg_key_id_regexp }}'"
    - name: check GPG key fingerprint
      ansible.builtin.command: "gpg --fingerprint --list-signatures 'HashiCorp Security' | grep -iE '{{ hc_vault_gpg_key_fingerprint_regexp }}'"
  when: gpg_list_keys.rc != 0
  rescue:
    - name: remove invalid GPG key
      ansible.builtin.command: "gpg --delete-keys --batch --yes 'HashiCorp Security'"
    - name: stop the playbook run
      ansible.builtin.debug:
        msg: 'Task "{{ ansible_failed_task }}" found an inconsistency with the imported GPG key; something somewhere is deeply wrong.'
      failed_when: true