---
# Main tasks for vault_agent role

- name: Install unzip (required for vault binary extraction)
  package:
    name: unzip
    state: present
  become: true

- name: Create vault-agent directories
  file:
    path: "{{ item }}"
    state: directory
    mode: '0755'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  loop:
    - "{{ vault_agent_config_dir }}"
    - "{{ vault_agent_data_dir }}"
    - "{{ ssl_certs_dir }}"
    - "{{ ssl_private_dir }}"

- name: Download and install Vault Agent binary
  unarchive:
    src: "https://releases.hashicorp.com/vault/{{ vault_agent_version }}/vault_{{ vault_agent_version }}_linux_amd64.zip"
    dest: /usr/local/bin
    remote_src: yes
    owner: root
    group: root
    mode: '0755'
  become: true

- name: Write AppRole role_id file
  copy:
    content: "{{ vault_approle_role_id }}"
    dest: "{{ vault_agent_config_dir }}/role_id"
    mode: '0644'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  when: vault_approle_role_id is defined

- name: Write AppRole secret_id file
  copy:
    content: "{{ vault_approle_secret_id }}"
    dest: "{{ vault_agent_config_dir }}/secret_id"
    mode: '0600'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  when: vault_approle_secret_id is defined

- name: Deploy certificate template (fullchain)
  copy:
    content: |
      {{ "{{" }} with secret "{{ vault_secret_path }}" {{ "}}" }}{{ "{{" }} .Data.data.certificate {{ "}}" }}{{ "{{" }} .Data.data.chain_pem {{ "}}" }}{{ "{{" }} end {{ "}}" }}
    dest: "{{ vault_agent_config_dir }}/certificate.tpl"
    mode: '0644'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  notify: restart vault-agent

- name: Deploy chain certificate template
  copy:
    content: |
      {{ "{{" }} with secret "{{ vault_secret_path }}" {{ "}}" }}{{ "{{" }} .Data.data.chain_pem {{ "}}" }}{{ "{{" }} end {{ "}}" }}
    dest: "{{ vault_agent_config_dir }}/chain_pem.tpl"
    mode: '0644'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  notify: restart vault-agent

- name: Deploy private key template
  copy:
    content: |
      {{ "{{" }} with secret "{{ vault_secret_path }}" {{ "}}" }}{{ "{{" }} .Data.data.private_key {{ "}}" }}{{ "{{" }} end {{ "}}" }}
    dest: "{{ vault_agent_config_dir }}/private_key.tpl"
    mode: '0644'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  notify: restart vault-agent

- name: Deploy Vault Agent configuration
  template:
    src: vault-agent-config.hcl.j2
    dest: "{{ vault_agent_config_dir }}/config.hcl"
    mode: '0600'
    owner: "{{ vault_agent_user }}"
    group: "{{ vault_agent_group }}"
  become: true
  notify: restart vault-agent

- name: Deploy Vault Agent systemd service
  template:
    src: vault-agent.service.j2
    dest: /etc/systemd/system/vault-agent.service
    owner: root
    group: root
    mode: '0644'
  become: true
  notify:
    - reload systemd
    - restart vault-agent

- name: Enable and start vault-agent service
  systemd:
    name: vault-agent
    enabled: true
    state: started
    daemon_reload: yes
  become: true