---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Run apt install block
  block:
    - name: Run the apt package pinning role
      include_role:
        name: apt_package_pinning
      vars:
        apt_package_pinning_file_name: "docker.pref"
        apt_package_pinning_priority: 999
        apt_pinned_packages:
          - package: "docker-ce"
            version: "{{ zun_docker_package_version }}"
            priority: 1000
          - package: "docker-ce-cli"
            version: "{{ zun_docker_package_version }}"
            priority: 1000
          - package: "containerd.io"
            version: "{{ zun_containerd_package_version }}"
            priority: 1000

    - name: Validate repo config is deb822 format
      vars:
        _repo_check: "{{ zun_docker_repo | selectattr('repo', 'defined') | map(attribute='repo') }}"
      ansible.builtin.assert:
        that: _repo_check | length == 0
        fail_msg: "The following repository definitions must be updated to deb822 format {{ _repo_check }}"

    # NOTE(jrosser) remove this task for the 2025.2 release
    - name: Clean up legacy repository config not in deb822 format
      file:
        path: "/etc/apt/sources.list.d/docker-ce.list"
        state: absent
      register: _cleanup_apt_repositories

    - name: Ensure python3-debian package is available
      apt:
        name: python3-debian

    - name: Manage apt repositories
      ansible.builtin.deb822_repository:
        allow_downgrade_to_insecure: "{{ item.allow_downgrade_to_insecure | default(omit) }}"
        allow_insecure: "{{ item.allow_insecure | default(omit) }}"
        allow_weak: "{{ item.allow_weak | default(omit) }}"
        architectures: "{{ item.architectures | default(omit) }}"
        by_hash: "{{ item.by_hash | default(omit) }}"
        check_date: "{{ item.check_date | default(omit) }}"
        check_valid_until: "{{ item.check_valid_until | default(omit) }}"
        components: "{{ item.components | default(omit) }}"
        date_max_future: "{{ item.date_max_future | default(omit) }}"
        enabled: "{{ item.enabled | default(omit) }}"
        inrelease_path: "{{ item.inrelease_path | default(omit) }}"
        languages: "{{ item.languages | default(omit) }}"
        mode: "{{ item.mode | default(omit) }}"
        name: "{{ item.name }}"
        pdiffs: "{{ item.pdiffs | default(omit) }}"
        signed_by: "{{ item.signed_by | default(omit) }}"
        state: "{{ item.state | default(omit) }}"
        suites: "{{ item.suites | default(omit) }}"
        targets: "{{ item.targets | default(omit) }}"
        trusted: "{{ item.trusted | default(omit) }}"
        types: "{{ item.types | default(omit) }}"
        uris: "{{ item.uris | default(omit) }}"
      with_items: "{{ zun_docker_repo }}"
      register: add_nv_repos

    - name: Update Apt cache
      apt:
        update_cache: yes
      when: (add_nv_repos is changed) or (_cleanup_apt_repositories is changed)
      register: update_apt_cache
      until: update_apt_cache is success
      retries: 5
      delay: 2

  when:
    - "ansible_facts['pkg_mgr'] == 'apt'"

- name: Add docker repo
  yum_repository:
    name: "{{ item.name }}"
    description: "{{ item.description }}"
    baseurl: "{{ item.repo }}"
    gpgkey: "{{ item.gpgkey | default(omit) }}"
    gpgcheck: yes
    enabled: yes
    priority: 25
  register: add_docker_repos
  until: add_docker_repos is success
  retries: 5
  delay: 2
  with_items: "{{ zun_docker_repo }}"
  when:
    - ansible_facts['pkg_mgr'] == 'dnf'

- name: Enable module_hotfixes
  lineinfile:
    dest: "/etc/yum.repos.d/{{ item.name }}.repo"
    line: "module_hotfixes=1"
    regexp: "^module_hotfixes"
    insertafter: "^enabled"
  with_items: "{{ zun_docker_repo }}"
  when:
    - ansible_facts['os_family'] | lower == 'redhat'

- name: Install compute distro packages
  package:
    name: "{{ zun_distro_compute_packages }}"
    state: "{{ zun_package_state }}"
    update_cache: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary('yes', omit) }}"
    cache_valid_time: "{{ (ansible_facts['pkg_mgr'] == 'apt') | ternary(cache_timeout, omit) }}"
    enablerepo: "{{ (ansible_facts['pkg_mgr'] == 'dnf') | ternary('extras', omit) }}"

- name: Install and configure katacontainers
  when: zun_kata_enabled | bool
  block:
    - name: Download kata package
      get_url:
        url: "{{ zun_kata_package_source }}"
        dest: "/opt/{{ zun_kata_package_source | basename }}"
        mode: '0440'
        checksum: "{{ zun_kata_package_checksum }}"
      register: _kata_downloaded

    - name: Unpack package
      unarchive:
        src: "/opt/{{ zun_kata_package_source | basename }}"
        dest: /opt/
        remote_src: True
        owner: root
        group: root
        extra_opts:
          - --strip-components=2
      when: _kata_downloaded is changed
      notify:
        - Restart containerd

    - name: Symlink kata binaries to PATH
      file:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        state: link
      with_items:
        - src: /opt/kata/bin/containerd-shim-kata-v2
          dest: /usr/local/bin/containerd-shim-kata-v2
        - src: /opt/kata/bin/kata-collect-data.sh
          dest: /usr/local/bin/kata-collect-data.sh
        - src: /opt/kata/bin/kata-runtime
          dest: /usr/local/bin/kata-runtime

    - name: Ensure the containerd config directory exists
      file:
        path: "/etc/containerd"
        state: "directory"
        owner: "root"
        group: "root"
        mode: "0755"

    - name: Configure containerd
      template:
        src: "config.toml.j2"
        dest: "/etc/containerd/config.toml"
        mode: "0644"
        owner: "root"
        group: "root"
      notify:
        - Restart containerd

- name: Ensure the Docker config directory exists
  file:
    path: "/etc/docker"
    state: "directory"
    owner: "root"
    group: "root"
    mode: "0755"

- name: Generate kuryr config
  openstack.config_template.config_template:
    content: |
      {
        "live-restore": true,
        "default-ipc-mode": "shareable"
      }
    dest: "/etc/docker/daemon.json"
    owner: "root"
    group: "root"
    mode: "0644"
    config_overrides: "{{ zun_docker_config_overrides }}"
    config_type: "json"
  notify:
    - Restart docker

- name: Create the kuryr system group
  group:
    name: "{{ zun_kuryr_system_group_name }}"
    gid: "{{ zun_kuryr_system_group_gid | default(omit) }}"
    state: "present"
    system: "yes"
  tags:
    - zun-kuryr-group

- name: Create the kuryr system user
  user:
    name: "{{ zun_kuryr_system_user_name }}"
    uid: "{{ zun_kuryr_system_user_uid | default(omit) }}"
    group: "{{ zun_kuryr_system_group_name }}"
    comment: "{{ zun_kuryr_system_comment }}"
    shell: "{{ zun_kuryr_system_shell }}"
    system: "yes"
    createhome: "yes"
    home: "{{ zun_kuryr_system_home_folder }}"
  when: zun_kuryr_system_user_name != 'root'
  tags:
    - zun-kuryr-user

- name: Create kuryr dir
  file:
    path: "{{ item.path }}"
    state: directory
    owner: "{{ item.owner | default('root') }}"
    group: "{{ item.group | default('root') }}"
    mode: "{{ item.mode | default('0755') }}"
  with_items:
    - path: "/etc/kuryr"
      mode: "0750"
      owner: "{{ zun_kuryr_system_user_name }}"
      group: "{{ zun_kuryr_system_group_name }}"
    - path: "/etc/docker/plugins"
  tags:
    - zun-kuryr-dirs

- name: Generate kuryr config
  openstack.config_template.config_template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: "{{ zun_kuryr_system_user_name }}"
    group: "{{ zun_system_group_name }}"
    mode: "0640"
    config_overrides: "{{ item.config_overrides }}"
    config_type: "{{ item.config_type }}"
  with_items:
    - src: "kuryr-libnetwork.conf.j2"
      dest: "/etc/kuryr/kuryr.conf"
      config_overrides: "{{ zun_kuryr_conf_overrides }}"
      config_type: "ini"
  notify:
    - Restart docker
  tags:
    - zun-config
    - zun-post-install

- name: Generate kuryr docker plugin config
  openstack.config_template.config_template:
    content: |
      {
        "Name": "kuryr",
        "Addr": "http://127.0.0.1:23750"
      }
    dest: "/etc/docker/plugins/kuryr.json"
    owner: "root"
    group: "root"
    mode: "0644"
    config_overrides: "{{ zun_kuryr_config_overrides }}"
    config_type: "json"
  notify:
    - Restart docker

- name: Ensure docker users are added to the docker group
  user:
    name: "{{ item }}"
    groups: "{{ zun_docker_groupname }}"
    append: yes
  with_items: "{{ zun_docker_users }}"

- name: Drop sudoers file
  template:
    src: "sudoers.j2"
    dest: "/etc/sudoers.d/{{ zun_system_user_name }}_sudoers"
    mode: "0440"
    owner: "root"
    group: "root"
  tags:
    - sudoers
    - zun-sudoers

- name: Configure multipathd (RedHat only)
  command:
    cmd: "/sbin/mpathconf --enable"
    creates: "/etc/multipath.conf"
  when: ansible_facts['os_family'] == "RedHat"

- name: Enable multipathd service
  systemd:
    name: multipathd
    state: started
    enabled: yes

- name: Create script to clean up old Docker data
  template:
    src: "zun-docker-cleanup.j2"
    dest: "{{ zun_bin }}/zun-docker-cleanup"
    owner: "root"
    group: "root"
    mode: "0755"

- name: Set state for timed data cleanup
  file:
    path: "/var/tmp/zun-docker-cleanup.disabled"
    state: "{{ zun_docker_prune_images | ternary('absent', 'touch') }}"
    mode: "0644"

- name: Remove legacy systemd docker override
  file:
    path: "/etc/systemd/system/docker.service.d/zun-docker.conf"
    state: absent