---
- name: '[setup] gather facts if not already done'
  ansible.builtin.setup:
    gather_subset:
      - all_ipv4_addresses
      - default_ipv4
      - dns

- name: install vault binary
  when: not hc_vault_binary_installed or hc_vault_local_binary_version != hc_vault_version
  notify:
    - 'vault : restart vault service'
  block:
    - name: download archive
      ansible.builtin.get_url:
        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
        dest: '{{ tmp_file.path }}/vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip'
        mode: '0600'
    - name: download SHASUMs file signature
      ansible.builtin.get_url:
        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS.sig'
        dest: '{{ tmp_file.path }}/shasums.sig'
        mode: '0600'
    - name: download SHASUMs files for vault releases
      ansible.builtin.get_url:
        url: 'https://releases.hashicorp.com/vault/{{ hc_vault_version }}/vault_{{ hc_vault_version }}_SHA256SUMS'
        dest: '{{ tmp_file.path }}/shasums.txt'
        mode: '0600'
    - name: Verify downloaded files integrity
      block:
        - name: check SHASUMs file integrity
          ansible.builtin.command: 'gpg --verify {{ tmp_file.path }}/shasums.sig {{ tmp_file.path }}/shasums.txt'
        - name: check SHASUM of the downloaded archive
          ansible.builtin.command:
            cmd: 'sha256sum -c {{ tmp_file.path }}/shasums.txt'
            chdir: '{{ tmp_file.path }}'
          register: shasum_check
          failed_when: 'search_string not in shasum_check.stdout'
          vars:
            search_string: 'vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip: OK'
    - name: install vault package
      become: true
      ansible.builtin.shell: |
        cd {{ tmp_file.path }}
        unzip -o vault_{{ hc_vault_version }}_{{ hc_vault_architecture }}.zip
        install -g {{ hc_vault_runas }} -o {{ hc_vault_runas }} -p -m 500 ./vault {{ hc_vault_binary_path }}
        {{ hc_vault_binary_path }} -h > /dev/null || (echo "Unexpected return, binary might be invalid")
    - name: prepare directory layout
      become: true
      ansible.builtin.file:
        path: '{{ item }}'
        owner: '{{ hc_vault_runas }}'
        group: '{{ hc_vault_runas }}'
        mode: '0700'
        state: directory
      loop:
        - '{{ hc_vault_root_dir }}/config'
        - '{{ hc_vault_root_dir }}/data'
        - '{{ hc_vault_root_dir }}/tls'

- name: install systemd unit file
  become: true
  notify:
    - 'vault : restart vault service'
  ansible.builtin.template:
    src: ../templates/vault-unit.service.j2
    dest: /lib/systemd/system/vault.service
    mode: '0644'
    owner: root
    group: root

- name: install default vault configuration file
  become: true
  notify:
    - 'vault : restart vault service'
  no_log: true
  ansible.builtin.template:
    src: ../templates/config.hcl.j2
    dest: '{{ hc_vault_root_dir }}/config/main.hcl'
    mode: '0600'
    owner: '{{ hc_vault_runas }}'
    group: '{{ hc_vault_runas }}'

- name: install environment file
  become: true
  notify:
    - 'vault : restart vault service'
  no_log: true
  ansible.builtin.template:
    src: ../templates/env.j2
    dest: '{{ hc_vault_root_dir }}/config/vault.env'
    mode: '0600'
    owner: '{{ hc_vault_runas }}'
    group: '{{ hc_vault_runas }}'

- name: install TLS certificate and key
  become: true
  notify:
    - 'vault : reload vault service'
  no_log: true
  block:
    - name: copy provided data
      block:
        - name: TLS certificate
          ansible.builtin.copy:
            content: '{{ hc_vault_server_tls_cert_data }}'
            dest: '{{ hc_vault_root_dir }}/tls/tls.cert'
            owner: '{{ hc_vault_runas }}'
            group: '{{ hc_vault_runas }}'
            mode: '0600'
        - name: Private key
          ansible.builtin.copy:
            content: '{{ hc_vault_server_tls_key_data }}'
            dest: '{{ hc_vault_root_dir }}/tls/tls.key'
            owner: '{{ hc_vault_runas }}'
            group: '{{ hc_vault_runas }}'
            mode: '0600'
      when: hc_vault_server_tls_cert_data and hc_vault_server_tls_key_data
    - name: generate new files
      block:
        - name: generate ECDSA key
          ansible.builtin.command:
            cmd: openssl ecparam -name prime256v1 -genkey -out tls.key
            chdir: '{{ hc_vault_root_dir }}/tls'
            creates: '{{ hc_vault_root_dir }}/tls/tls.key'
        - name: generate certificate
          ansible.builtin.command:
            cmd: >
              openssl req -new -days 3650 -nodes -x509
                -subj "/C=FR/ST=Void/L=Void/O=IT/OU=Vault/CN={{ ansible_facts['fqdn'] }}"
                -addext "subjectAltName = DNS:localhost, DNS:{{ ansible_facts['hostname'] }}, IP:{{ ansible_facts['default_ipv4']['address'] | default(ansible_facts['all_ipv4_addresses'][0]) }}, IP:127.0.0.1"
                -addext "extendedKeyUsage = serverAuth"
                -addext "keyUsage = nonRepudiation, digitalSignature, keyEncipherment"
                -addext "basicConstraints = CA:FALSE"
                -key tls.key -out tls.cert
            chdir: '{{ hc_vault_root_dir }}/tls'
            creates: '{{ hc_vault_root_dir }}/tls/tls.cert'
        - name: update files ownership
          ansible.builtin.file:
            path: '{{ hc_vault_root_dir }}/tls/{{ item }}'
            state: file
            owner: '{{ hc_vault_runas }}'
            group: '{{ hc_vault_runas }}'
            mode: '0600'
          loop:
            - tls.key
            - tls.cert
      when: not hc_vault_server_tls_cert_data or not hc_vault_server_tls_key_data

- name: flush handlers
  meta: flush_handlers