---
- name: Include variables
  include_vars: "{{ lookup('first_found', params) }}"
  vars:
    params:
      files: "{{ distro_lookup_path }}"
      paths:
        - "vars"

- name: Include OS-specific tasks
  include_tasks: "{{ lookup('first_found', file_list) }}"
  vars:
    file_list: "{{ distro_lookup_path }}"

- name: Add PPA GPG key
  become: true
  apt_key:
    data: "{{ hashicorp_gpg_key }}"

- name: Install required packages
  become: true
  ansible.builtin.package:
    state: present
    name: "{{ item }}"
  loop:
    - "{{ packages }}"
  when: "ansible_facts.pkg_mgr != 'atomic_container'"
  register: task_result
  until: task_result is success
  retries: 5

- name: Create storage
  ansible.builtin.file:
    state: "directory"
    path: "{{ vault_storage_path }}"
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
    mode: 0755

- name: Create plugins dir
  ansible.builtin.file:
    state: "directory"
    path: "{{ vault_plugin_path }}"
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
    mode: 0755

- name: Install plugins
  ansible.builtin.unarchive:
    src: "{{ zj_plugin.url }}"
    dest: "{{ vault_plugin_path }}"
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
    remote_src: "yes"
  loop:
    "{{ vault_plugins }}"
  loop_control:
    loop_var: "zj_plugin"

- name: Write config
  ansible.builtin.template:
    dest: /etc/vault.d/vault.hcl
    src: vault.hcl.j2
    mode: 0644
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
  notify:
    - Restart Vault

- name: Write SSL Cert file
  ansible.builtin.copy:
    path: "{{ vault_tls_cert_file }}"
    content: "{{ vault_tls_cert_content }}"
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
    recurse: true
  when: "vault_tls_cert_content is defined and vault_tls_cert_content|length>0"

- name: Write SSL Key file
  ansible.builtin.copy:
    path: "{{ vault_tls_key_file }}"
    content: "{{ vault_tls_key_content }}"
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
    recurse: true
  when: "vault_tls_key_content is defined and vault_tls_key_content|length>0"

- name: Correct certs ownership
  ansible.builtin.file:
    path: "/etc/ssl/{{ inventory_hostname }}/vault"
    state: "directory"
    owner: "{{ vault_owner }}"
    group: "{{ vault_group }}"
    recurse: true

- name: Enable vault service
  ansible.builtin.service:
    name: "vault"
    enabled: "true"
    state: "started"

# - name: Renew transit token
#   include_tasks: "renew_transit_token.yaml"
#   vars:
#     vault_addr: "{{ vault_seal_transit_address }}"
#     transit_token: "{{ vault_seal_transit_token }}"
#   when:
#     - "vault_seal_transit_address is defined and vault_seal_transit_address | length > 0"
#     - "vault_seal_transit_token is defined and vault_seal_transit_token | length > 0"