---

- name: Add required utilities
  ansible.builtin.apt:
    name:
      - gpg
      - wget
      - openssl
    update_cache: yes
    state: present
  become: true

- name: Add LetsEncrypt missing intermediate certificates
  command: "bash -c 'wget -O- --no-check-certificate https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash'"
  args:
    creates: /etc/ssl/certs/lets-encrypt-e1.pem.pem
  become: true

- name: Add cadoles-pod debian repository key
  ansible.builtin.apt_key:
    url: "{{ cadoles_pod_debian_repository_key_url }}"
    state: present
  become: true

- name: Configure cadoles-pod debian repository
  ansible.builtin.apt_repository:
    repo: "deb {{ cadoles_pod_debian_repository_url }} {{ cadoles_pod_debian_repository }} main"
    state: present
  become: true

- name: Ensure sysctl configuration
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_set: yes
  with_items:
    - name: fs.inotify.max_user_instances
      value: 128
    - name: fs.inotify.max_user_watches
      value: 204800
  become: true

- name: Install core packages
  ansible.builtin.apt:
    name:
      - haproxy={{ haproxy_package_version }}
      - cadoles-pod-hydra-v1={{ cadoles_pod_hydra_v1_package_version }}
      - cadoles-pod-hydra-dispatcher-v1={{ cadoles_pod_hydra_dispatcher_v1_package_version }}
    update_cache: yes
    state: present
  become: true

- name: Configure Hydra local database
  ansible.builtin.include_tasks: hydra-database.yml
  when: not hydra_use_external_database  

- name: Configure HAProxy
  template:
    src: haproxy.cfg.j2
    dest: /etc/haproxy/haproxy.cfg
    validate: "haproxy -c -f %s"
  notify:
    - Restart HAProxy
  become: true

- name: Create hydra-clients
  template:
    src: hydra-client.json.j2
    dest: "/etc/hydra/clients.d/{{ item.client_id }}.json"
  with_items: "{{ hydra_clients }}"
  notify:
    - Reload hydra clients
  become: true

- name: Configure cadoles-pod-hydra-v1
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
  with_items:
    - src:  cadoles-pod-hydra-v1.conf.j2
      dest: /etc/cadoles-pod-hydra-v1.conf
  notify:
    - Restart cadoles-pod-hydra-v1
  become: true

- name: Configure cadoles-pod-hydra-dispatcher-v1
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  with_items:
    - src:  cadoles-pod-hydra-dispatcher-v1.conf.j2
      dest: /etc/cadoles-pod-hydra-dispatcher-v1.conf
      mode: u=rw,g=r
    - src:  hydra-dispatcher-apps.yml.j2
      dest: /etc/hydra-dispatcher/conf.d/apps.yml
      mode: u=rw,g=r,o=r
  notify:
    - Restart cadoles-pod-hydra-dispatcher-v1
  become: true

- name: Configure passwordless authentification if enabled
  ansible.builtin.include_tasks: hydra-passwordless.yml
  when: enable_hydra_passwordless

- name: Configure SAML authentification if enabled
  ansible.builtin.include_tasks: hydra-saml.yml
  when: enable_hydra_saml

- name: Configure OIDC authentification if enabled
  ansible.builtin.include_tasks: hydra-oidc.yml
  when: enable_hydra_oidc

- name: Configure LDAP authentification if enabled
  ansible.builtin.include_tasks: hydra-ldap.yml
  when: enable_hydra_ldap

- name: Start OIDC Test app if enabled
  ansible.builtin.include_tasks: start-oidc-test.yml
  when: enable_oidc_test_app

- name: Stop OIDC Test app if disabled
  ansible.builtin.include_tasks: stop-oidc-test.yml
  when: not enable_oidc_test_app