---
- name: Create Hydra group
  ansible.builtin.group:
    name: "{{ hydra_os_group }}"
    state: present
    system: true

- name: Create Hydra user
  ansible.builtin.user:
    name: "{{ hydra_os_user }}"
    group: "{{ hydra_os_group }}"
    home: "{{ hydra_home }}"
    state: present
    system: true


- name: Create Hydra directories
  ansible.builtin.file:
    path: "{{hydra_home }}/{{ item.path }}"
    owner: "{{ hydra_os_user }}"
    group: "{{ hydra_os_group }}"
    mode: "{{ item.mode }}"
    state: directory
  loop:
    - { path: etc, mode: '0750' }
    - { path: bin, mode: '0750' }
    - { path: download, mode: '0750' }


- name: Download Hydra binary
  ansible.builtin.get_url:
    url: "https://github.com/ory/hydra/releases/download/v{{ hydra_version }}/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
    dest: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
    checksum: "sha256:{{ hydra_checksum }}"
    owner: "{{ hydra_os_user }}"
    group: "{{ hydra_os_group }}"
    mode: '0640'

- name: Extract Hydra binary
  ansible.builtin.unarchive:
    remote_src: true
    src: "{{ hydra_home }}/download/hydra_{{ hydra_version }}-linux_64bit.tar.gz"
    dest: "{{ hydra_home }}/bin"
    owner: root
    group: "{{ hydra_os_group }}"
    include: 'hydra'
    mode: '0750'

- name: Create Hydra configuration
  ansible.builtin.template:
    src: hydra.yml.j2
    dest: "{{ hydra_home }}/etc/hydra.yml"
    owner: root
    group: "{{ hydra_os_group }}"
    mode: '0640'
  notify: hydra_systemd_reload

- name: Check whether certificate exists
  ansible.builtin.stat:
    path: "{{ hydra_tls.cert }}"
  register: hydra_cert_st

- name: Create Hydra key and certificate with mkcert
  block:

    - name: Create temporary directory for Hydra key and certificate
      ansible.builtin.tempfile:
        prefix: "hydra-cert."
        state: directory
      register: hydra_cert_temp_dir

    - name: Create Hydra key and certificate
      ansible.builtin.command:
        cmd: "/home/{{ ansible_user | default(ansible_env.USER) }}/.local/bin/mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"

    - name: Move Hydra certificate and key to target
      ansible.builtin.copy:
        src: "{{ hydra_cert_temp_dir.path }}/{{ item.src }}"
        dest: "{{ item.dest }}"
        owner: root
        group: "{{ hydra_os_group }}"
        mode: "{{ item.mode }}"
        remote_src: true
      loop:
        - {src: hydra.pem, dest: "{{ hydra_tls.cert }}", mode: '0644'}
        - {src: hydra.key.pem, dest: "{{ hydra_tls.key }}", mode: '0640'}
      become: true

    - name: Remove temporary directory
      ansible.builtin.file:
        path: "{{ hydra_cert_temp_dir.path }}"
        state: absent

  when: use_mkcert and not hydra_cert_st.stat.exists
  become: false

- name: Copy Hydra key and certificate from inventory
  block:

    - name: Copy Hydra certificate
      ansible.builtin.copy:
        dest: "{{ hydra_tls.cert }}"
        owner: root
        group: "{{ hydra_os_group }}"
        mode: '0644'
        content: "{{ hydra_tls.certdata }}"

    - name: Copy Hydra key
      ansible.builtin.copy:
        dest: "{{ hydra_tls.key }}"
        owner: root
        group: "{{ hydra_os_group }}"
        mode: '0640'
        content: "{{ hydra_tls.keydata }}"

  when: not use_mkcert

- name: Run Hydra SQL migrations
  ansible.builtin.command:
    cmd: "{{ hydra_home }}/bin/hydra migrate sql --yes --read-from-env --config {{ hydra_home }}/etc/hydra.yml"
  changed_when: false

- name: Create systemd unit file
  ansible.builtin.template:
    src: hydra.service.j2
    dest: /etc/systemd/system/hydra.service
    owner: root
    group: root
    mode: "0640"
  notify: hydra_systemd_reload