- name: "Adding group postgresql"
  group:
    name: postgres
    gid: 2001

- name: "Adding user postgresql"
  user:
    name: postgres
    uid: 2000
    group: postgres
    home: '{{ postgres_homedir }}'
    system: true
    shell: /bin/bash

- name: "Ensuring repository meta is installed"
  apt:
    name: ["debian-keyring", "debian-archive-keyring", "apt-transport-https"]
    update_cache: yes
    cache_valid_time: 900
    state: present

- name: "Adding an apt signing key, uses whichever key is at the url"
  ansible.builtin.apt_key:
    url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
    state: present
    validate_certs: false

- name: "Adding postgresql repository into sources list"
  ansible.builtin.apt_repository:
    repo: deb http://apt.postgresql.org/pub/repos/apt {{ default_postgres_target_distribution }} main
    state: present

- name: "Ensuring several packages being installed"
  apt:
    name: "{{ item }}"
    update_cache: yes
    cache_valid_time: 900
    state: present
  loop:
    - 'postgresql-{{ default_postgres_version }}'
    - python3-psycopg2

- name: "Set vars"
  set_fact:
    cert_private_key: '{{ postgres_homedir }}/{{ inventory_hostname }}.{{ domain }}-key.pem'
    cert_public_key: '{{ postgres_homedir }}/{{ inventory_hostname }}.{{ domain }}-crt.pem'
    ca_cert: '{{ postgres_homedir }}/ca-certificate.pem'

- name: "Include role for self-signed CA"
  include_role:
    name: selfsigned_ca

- name: "Create certs with selfsigned CA"
  include_role:
    name: selfsigned_ca
    tasks_from: _create_cert
  vars:
    selfsigned_ca_cert_private_key: '{{ cert_private_key }}'
    selfsigned_ca_cert_private_key_group: postgres
    selfsigned_ca_cert_public_key: '{{ cert_public_key }}'
    selfsigned_ca_cacert: '{{ ca_cert }}'
    selfsigned_ca_cert_subject:
      CN: '{{ inventory_hostname }}.{{ domain }}'
    selfsigned_ca_cert_altnames:
      - 'DNS:{{ inventory_hostname }}.{{ domain }}'
      - 'DNS:{{ inventory_hostname }}'
#    selfsigned_ca_trigger_handler: restart postgres

- name: "Ensure postgresql.conf via evil lineinfile..."
  lineinfile:
    state: present
    regex: "{{ item.regex }}"
    line: "{{ item.line }}"
    path: /etc/postgresql/{{ default_postgres_version }}/main/postgresql.conf
  loop: '{{ postgres_config }}'
  notify: restart postgres

- name: "Creating archive directory if necessary"
  file:
    state: directory
    path: /postgresql/replication
    owner: postgres
    group: postgres
    mode: "g+s"

- name: "Install prometheus postgres exporter..."
  apt:
    name: "prometheus-postgres-exporter"
    update_cache: yes
    cache_valid_time: 900
    state: present

- name: "Ensure config for prometheus-postgres-exporter via evil lineinfile..."
  lineinfile:
    state: present
    regex: "{{ item.regex }}"
    line: "{{ item.line }}"
    path: /etc/default/prometheus-postgres-exporter
  loop: '{{ prometheus_postgres_exporter_config }}'
  notify: restart prometheus-postgres-exporter

- name: "Ensure /metrics directory exists"
  file:
    state: directory
    path: /metrics
    mode: '0755'

- name: "Ensure /metrics/queries.yaml exists"
  copy:
    src: pg-exporter-queries.yml
    dest: /metrics/queries.yaml
    mode: '0755'

- name: Check role prometheus exists # noqa command-instead-of-shell no-changed-when
  become: yes
  become_user: postgres
  shell: "/usr/bin/psql -Atc \"SELECT count(rolname) FROM pg_roles where rolname='prometheus'\""
  register: role_check
  ignore_errors: yes

- name: "Copy prometheus_postgres_exporter init script"
  copy:
    src: init.sql
    dest: /tmp/prometheus_postgres_exporter.sql
    mode: '0755'
  when: "role_check.stdout == '0' and server_type == 'master'"

- name: "Execute prometheus_postgres_exporter init script" # noqa command-instead-of-shell
  become: true
  become_user: postgres
  shell: "psql -f /tmp/prometheus_postgres_exporter.sql"
  when: "role_check.stdout == '0' and server_type == 'master'"

- name: "Delete prometheus_postgres_exporter init script"
  file: path="/tmp/prometheus_postgres_exporter.sql" state=absent
  when: "role_check.stdout == '0' and server_type == 'master'"

- name: "Block: gpg stuff"
  become: yes
  become_user: postgres
  block:
    - name: Create temp dir
      ansible.builtin.tempfile:
        state: directory
        suffix: gitcheckout
        path: /tmp
      register: tempdir

    - name: "Checkout repo for gpg communication-keys"
      ansible.builtin.git:
        repo: 'https://{{ gituser | default("gitea-admin") | urlencode }}:{{ gitea_admin_password | urlencode }}@{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys.git'
        dest: '{{ tempdir.path }}'
        version: master

# there is no ansible gpg module already in place
# linting violation needs to be whitelisted
    - name: "Importing stage specific automation gpg-key" # noqa command-instead-of-shell
      shell: 'gpg --import {{ tempdir.path }}/smardigo_automation_{{ stage }}.gpg.pub'