# Copyright (c) 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: "Set MySQL socket fact for Red Hat family"
  set_fact:
    mysql_socket_path: "/var/lib/mysql/mysql.sock"
  when: ansible_os_family | lower == 'redhat'

- name: "Set MySQL socket fact for Debian family"
  set_fact:
    mysql_socket_path: "/var/run/mysqld/mysqld.sock"
  when: ansible_os_family | lower == 'debian'

- name: "Set MySQL socket fact for other systems"
  set_fact:
    mysql_socket_path: "/var/run/mysql/mysql.sock"
  when: ansible_os_family | lower not in ['redhat', 'debian']

- name: "MySQL - Create database"
  mysql_db:
    login_unix_socket: "{{ mysql_socket_path | default(omit) }}"
    login_user: "{{ mysql_username }}"
    login_password: "{{ mysql_password }}"
    name: "{{ ironic_inspector.database.name }}"
    state: present
    encoding: utf8
  when: ironic_inspector.database.host == 'localhost'

- name: "MySQL - Create user for inspector"
  mysql_user:
    login_unix_socket: "{{ mysql_socket_path | default(omit) }}"
    login_user: "{{ mysql_username }}"
    login_password: "{{ mysql_password }}"
    name: "{{ ironic_inspector.database.username }}"
    password: "{{ ironic_inspector.database.password }}"
    priv: "{{ ironic_inspector.database.name }}.*:ALL"
    state: present
  when: ironic_inspector.database.host == 'localhost'

- name: "Inspector - Ensure /etc/ironic-inspector/ exists"
  file:
    dest=/etc/ironic-inspector
    owner=ironic
    group=ironic
    mode=0755
    state=directory
# Note(TheJulia): The rootwrap copies will need to be re-tooled
# to possibly directly retreive current files if a source install
# is not utilized.
- name: "Copy rootwrap.conf from ironic-inspector source folder"
  copy:
    src: "{{ ironicinspector_git_folder }}/rootwrap.conf"
    dest: "/etc/ironic-inspector/rootwrap.conf"
    remote_src: yes
    mode: 0644
    owner: root
    group: root
# Note(ashestakov): "copy" module in ansible doesn't support recursive
# copying on remote host. "cp" command used instead.
- name: "Copy rootwrap.d contents from ironic-inspector source folder"
  command: cp -r "{{ ironicinspector_git_folder }}/rootwrap.d/" "/etc/ironic-inspector/rootwrap.d"

- name: "Generate htpasswd(s) for ironic-inspector"
  htpasswd:
    path: /etc/ironic-inspector/htpasswd
    crypt_scheme: bcrypt
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    owner: ironic
    group: ironic
    mode: 0600
  loop:
    - name: "{{ admin_username }}"
      password: "{{ admin_password }}"
    - name: "{{ default_username }}"
      password: "{{ default_password }}"
  loop_control:
    label: "{{ item.name }}"
  when:
    - not noauth_mode | bool
    - not enable_keystone | bool

- name: "Generate TLS parameters"
  include_role:
    name: bifrost-tls
  vars:
    dest_private_key_path: "{{ ironic_inspector_private_key_path }}"
    dest_private_key_owner: ironic
    dest_private_key_group: ironic
  when: enable_tls | bool

- name: "Populate keystone for ironic-inspector "
  include: keystone_setup_inspector.yml
  when: enable_keystone | bool

- name: "Inspector - Place Configuration"
  template:
    src=ironic-inspector.conf.j2
    dest=/etc/ironic-inspector/inspector.conf
    owner=ironic
    group=ironic
    mode=0640
- name: "Inspector - Create the log directories (if requested)"
  file:
    name: "{{ item }}"
    state: directory
    owner: ironic
    group: ironic
    mode: 0700
  loop:
    - "{{ inspector_log_dir | default('') }}"
    - "{{ inspector_ramdisk_logs_local_path | default('') }}"
  when: item | length > 0
- name: "Upgrade inspector DB Schema"
  command: ironic-inspector-dbsync --config-file /etc/ironic-inspector/inspector.conf upgrade
  become: true
  environment: "{{ bifrost_venv_env }}"
- name: "Inspector - Get ironic-inspector install location"
  shell: echo $(dirname $(which ironic-inspector))
  register: ironic_install_prefix
  environment: "{{ bifrost_venv_env }}"
- name: "Inspector - Place service"
  template:
    src: systemd_template.j2
    dest: "{{ init_dest_dir }}ironic-inspector.service"
    owner: root
    group: root
  vars:
    service_path: "{{ ironic_install_prefix.stdout | default('') }}"
    service_name: 'ironic-inspector'
    config_file: '/etc/ironic-inspector/inspector.conf'
- name: "Inspector - Explicitly permit TCP/5050 for ironic-inspector callback"
  iptables:
    chain: INPUT
    action: insert
    protocol: tcp
    destination_port: 5050
    in_interface: "{{ network_interface }}"
    jump: ACCEPT
  when: not use_firewalld | bool

- name: "Inspector - Enable port in firewalld"
  firewalld:
    port: "5050/tcp"
    zone: "{{ 'libvirt' if testing | bool else firewalld_internal_zone }}"
    state: enabled
    permanent: yes
    immediate: yes
  when: use_firewalld | bool