---
- name: Manage /etc/hosts
  blockinfile:
    path: /etc/hosts
    create: true
    block: |
      127.0.0.1	localhost
      127.0.0.2	bookworm
      ::1		localhost ip6-localhost ip6-loopback
      ff02::1		ip6-allnodes
      ff02::2		ip6-allrouters

      {{ oidc_urls.hydra_public.address | default(ansible_default_ipv4.address) }} {{ oidc_urls.hydra_public.host }}
      127.0.0.1 {{ oidc_urls.demoapp.host }}

- name: Create CAcert group
  ansible.builtin.group:
    name: "{{ cacert_os_group }}"
    state: present
    system: true

- name: Create CAcert user
  ansible.builtin.user:
    name: "{{ cacert_os_user }}"
    group: "{{ cacert_os_group }}"
    home: "{{ cacert_home }}"
    state: present
    system: true

- name: Create CAcert directories
  ansible.builtin.file:
    path: "{{ cacert_home }}/{{ item.path }}"
    owner: "{{ cacert_os_user }}"
    group: "{{ cacert_os_group }}"
    mode: "{{ item.mode }}"
    state: directory
  loop:
    - { path: etc, mode: '0750' }
    - { path: bin, mode: '0750' }
    - { path: download, mode: '0750' }

- name: Create session directory
  ansible.builtin.file:
    path: "{{ demoapp_session_path | default('/var/cache/cacert/sessions') }}"
    owner: "{{ cacert_os_user }}"
    group: "{{ cacert_os_group }}"
    mode: "0750"
    state: directory

- name: Copy demo application binary
  ansible.builtin.copy:
    src: ../oidc_app/demo-app
    dest: "{{ cacert_home }}/bin/cacert-oidcdemo"
    owner: root
    group: "{{ cacert_os_group }}"
    mode: "0750"

- name: Check whether certificate exists
  ansible.builtin.stat:
    path: "{{ demoapp_tls.cert }}"
  register: demoapp_cert_st

- name: Create demo application key and certificate with mkcert
  block:

    - name: Create temporary directory for demo application key and certificate
      ansible.builtin.tempfile:
        prefix: "demoapp-cert."
        state: directory
      register: demoapp_cert_temp_dir

    - name: Create demo application key and certificate
      ansible.builtin.command:
        cmd: "mkcert -cert-file {{ demoapp_cert_temp_dir.path }}/demoapp.pem -key-file {{ demoapp_cert_temp_dir.path }}/demoapp.key.pem {{ oidc_urls.demoapp.host }}"
      environment:
        CAROOT: "{{ mkcert_caroot | default('') }}"

    - name: Move demo application certificate and key to target
      ansible.builtin.copy:
        src: "{{ demoapp_cert_temp_dir.path }}/{{ item.src }}"
        dest: "{{ item.dest }}"
        owner: root
        group: "{{ cacert_os_group }}"
        mode: "{{ item.mode }}"
        remote_src: true
      loop:
        - {src: demoapp.pem, dest: "{{ demoapp_tls.cert }}", mode: '0644'}
        - {src: demoapp.key.pem, dest: "{{ demoapp_tls.key }}", mode: '0640'}
      become: true

    - name: Remove temporary directory
      ansible.builtin.file:
        path: "{{ demoapp_cert_temp_dir.path }}"
        state: absent

  when: not demoapp_cert_st.stat.exists
  become: false

- name: Check whether configuration file exists
  ansible.builtin.stat:
    path: "{{ cacert_home }}/etc/cacert-demoapp.toml"
  register: demoapp_config_st

- name: Get credentials from existing file
  block:

    - name: fetch existing configuration file
      ansible.builtin.fetch:
        src: "{{ demoapp_config_st.stat.path }}"
        dest: demoapp_config-from-vagrant.toml
        flat: true

    - name: set credential facts
      ansible.builtin.set_fact:
        demoapp_client_id: "{{ lookup('ansible.builtin.ini', 'client-id', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
        demoapp_client_secret: "{{ lookup('ansible.builtin.ini', 'client-secret', section='oidc', file='demoapp_config-from-vagrant.toml') | from_json }}"
        demoapp_auth_key: "{{ lookup('ansible.builtin.ini', 'auth-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
        demoapp_enc_key: "{{ lookup('ansible.builtin.ini', 'enc-key', section='session', file='demoapp_config-from-vagrant.toml') | from_json }}"
      ignore_errors: true

  when: demoapp_config_st.stat.exists

- name: Generate new credentials
  block:

    - name: Create new client via Hydra admin API
      ansible.builtin.uri:
        url: "https://{{ oidc_urls.hydra_admin.host }}:{{ oidc_urls.hydra_admin.port }}/admin/clients"
        method: "POST"
        body:
          client_name: "CAcert OIDC demo application"
          redirect_uris:
            - "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/callback"
          post_logout_redirect_uris:
            - "https://{{ oidc_urls.demoapp.host }}:{{ oidc_urls.demoapp.port }}/after-logout"
          scope: "openid email profile groups"
        body_format: "json"
        headers:
          Accept: "application/json"
          Content-Type: "application/json"
        status_code: [201]
      register: hydra_response

    - name: Set credential facts
      ansible.builtin.set_fact:
        demoapp_client_id: "{{ hydra_response.json.client_id }}"
        demoapp_client_secret: "{{ hydra_response.json.client_secret }}"

  when: not demoapp_config_st.stat.exists

- name: Create demo application configuration
  ansible.builtin.template:
    src: demoapp_config.toml.j2
    dest: "{{ cacert_home }}/etc/cacert-demoapp.toml"
    owner: root
    group: "{{ cacert_os_group }}"
    mode: '0640'
  notify: demoapp_systemd_reload

- name: Create demoapp systemd unit file
  ansible.builtin.template:
    src: cacert-demoapp.service.j2
    dest: /etc/systemd/system/cacert-demoapp.service
    owner: root
    group: root
    mode: "0644"
  notify: demoapp_systemd_reload

- name: Ensure service is started
  ansible.builtin.systemd:
    state: started
    name: cacert-demoapp
    enabled: true