---

### tags:

- name: Update
  apt: update_cache=yes force_apt_get=yes cache_valid_time=3600

- name: MariaDB | install # noqa package-latest
  package:
    name: "{{ item }}"
    state: latest
  with_items:
    - mariadb-server
    - python3-pymysql
    - prometheus-mysqld-exporter

- name: "Set vars"
  set_fact:
    cert_private_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-key.pem'
    cert_public_key: '/etc/mysql/conf.d/{{ inventory_hostname }}.{{ domain }}-crt.pem'
    ca_cert: '/etc/mysql/conf.d/ca-certificate.pem'

- name: "Include role for self-signed CA"
  include_role:
    name: selfsigned_ca

- name: "Create certs with selfsigned CA"
  include_role:
    name: selfsigned_ca
    tasks_from: _create_cert
  vars:
    selfsigned_ca_cert_private_key: '{{ cert_private_key }}'
    selfsigned_ca_cert_private_key_group: mysql
    selfsigned_ca_cert_public_key: '{{ cert_public_key }}'
    selfsigned_ca_cacert: '{{ ca_cert }}'
    selfsigned_ca_cert_subject:
      CN: '{{ inventory_hostname }}.{{ domain }}'
    selfsigned_ca_cert_altnames:
      - 'DNS:{{ inventory_hostname }}.{{ domain }}'
      - 'DNS:{{ inventory_hostname }}'
    selfsigned_ca_trigger_handler: restart mysql
 
- name: Fix binding..
  ansible.builtin.lineinfile:
    path: /etc/mysql/mariadb.conf.d/50-server.cnf
    regexp: '^bind-address'
    line: 'bind-address={{ ansible_all_ipv4_addresses | ansible.netcommon.ipaddr(shared_service_network) | first }}'
  notify: restart mysql

- name: "Create my.cnf containing ssl stuff"
  template:
    src: 50-ssl.cnf
    dest: /etc/mysql/conf.d/
    mode: '0644'
    owner: root
    group: root
  notify: restart mysql

- name: Ensure service is started
  service:
    name: mariadb
    state: started
    enabled: yes

- name: Check if root password is set
  shell: >
    mysqladmin -u root status
  changed_when: false
  failed_when: false
  register: root_pwd_check

- name: Set MariaDB root password for the first time
  community.mysql.mysql_user:
    name: root
    password: "{{ mysql_root_password }}"
    host_all: yes
    login_unix_socket: /var/run/mysqld/mysqld.sock
    state: present
  when: root_pwd_check.rc == 0

- name: Ensure MySQL databases are present.
  community.mysql.mysql_db:
    name: "{{ item.name }}"
    collation: "{{ item.collation | default('utf8_general_ci') }}"
    encoding: "{{ item.encoding | default('utf8') }}"
    state: "{{ item.state | default('present') }}"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    login_password: "{{ mysql_root_password }}"
  with_items: "{{ mysql_databases }}"

- name: Ensure MySQL users are present.
  community.mysql.mysql_user:
    name: "{{ item.name }}"
    tls_requires:
      SSL:
    password: "{{ item.password }}"
    priv: "{{ item.priv | default('*.*:USAGE') }}"
    state: "{{ item.state | default('present') }}"
    append_privs: "{{ item.append_privs | default('no') }}"
    encrypted: "{{ item.encrypted | default('no') }}"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    login_password: "{{ mysql_root_password }}"
    host: "{{ item.host }}"
  with_items: "{{ mysql_users }}"

- name: Ensure prometheus user for prometheus-mysqld-exporter exists
  community.mysql.mysql_user:
    name: "prometheus"
    priv: "*.*:PROCESS,REPLICATION CLIENT,SELECT"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    login_password: "{{ mysql_root_password }}"
  register: mysql_exporter_user_creds
  notify: prometheus-mysqld-exporter restart

- name: Ensure is prometheus-mysqld-exporter configured
  lineinfile:
    regex: "^DATA_SOURCE_NAME="
    line: 'DATA_SOURCE_NAME="prometheus@unix(/run/mysqld/mysqld.sock)/"'
    path: /etc/default/prometheus-mysqld-exporter
  register: mysql_exporter_data_source
  notify: prometheus-mysqld-exporter restart

- name: Setup prometheus-mysqld-exporter interface bind
  lineinfile:
    path: /etc/default/prometheus-mysqld-exporter
    regex: "^ARGS="
    line: "ARGS=\"--web.listen-address='{{ stage_private_server_ip }}:{{ monitor_port_maria }}'\""
  register: mysql_exporter_args
  notify: prometheus-mysqld-exporter restart

- name: "Ensure prometheus-mysqld-exporter is running"
  service:
    name: prometheus-mysqld-exporter
    state: started
    enabled: yes

- name: 'Ensures <{{ backup_directory }}> directory exists'
  file:
    state: directory
    path: '{{ backup_directory }}'
    mode: 0755

- name: "Copy testdb.sql to ensure test DB"
  copy:
    src: '{{ item }}'
    dest: '/tmp/{{ item }}'
    mode: '0444'
    owner: root
    group: root
  loop:
    - testdb.sql

- name: "Ensure test DB"
  community.mysql.mysql_db:
    login_user: '{{ mysql_root_username }}'
    login_password: "{{ mysql_root_password }}"
    config_file: "/etc/mysql/mariadb.conf.d/50-client.cnf"
    name: dummytestdb
    state: import
    target: /tmp/testdb.sql

- name: "Block: gpg stuff"
  block:
    - name: Create temp dir
      ansible.builtin.tempfile:
        state: directory
        suffix: gitcheckout
        path: /tmp
      register: tempdir

    - name: "Checkout repo for gpg communication-keys"
      ansible.builtin.git:
        repo: 'https://{{ gituser | default("gitea-admin") | urlencode }}:{{ gitea_admin_password | urlencode }}@{{ stage }}-gitea-01.smardigo.digital/gitea-admin/communication-keys.git'
        dest: '{{ tempdir.path }}'
        version: master

# there is no ansible gpg module already in place
# linting violation needs to be whitelisted
    - name: "Importing stage specific automation gpg-key" # noqa command-instead-of-shell
      shell: 'gpg --import {{ tempdir.path }}/smardigo_automation_{{ stage }}.gpg.pub'