# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Check login_vars file is encrypted
  command: cat "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
  changed_when: false
  register: config_content
  no_log: true

- name: Decrpyt login_vars.yml
  command: >-
    ansible-vault decrypt "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
    --vault-password-file "{{ role_path }}/../../control_plane/{{ vault_filename }}"
  changed_when: false
  when: "'$ANSIBLE_VAULT;' in config_content.stdout"

- name: Include variable file login_vars.yml
  include_vars: "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
  no_log: true

- name: Save grafana variables
  set_fact:
    grafana_username: '{{ grafana_username }}'
    grafana_password: '{{ grafana_password }}'
  no_log: True

- block:
    - name: Save variables of ipa server from Management Station
      set_fact:
        ms_ipa_admin_password: '{{ ms_kerberos_admin_password }}'
      no_log: True

    - name: Include ipa server hostname and domain name
      include_vars: "{{ ipa_secret_file }}"
  when:
    - login_node_required
    - ipa_server_ms

- name: Create ansible vault key
  set_fact:
    vault_key: "{{ lookup('password', '/dev/null chars=ascii_letters') }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Save vault key
  copy:
    dest: "{{ role_path }}/../../control_plane/{{ vault_filename }}"
    content: |
      {{ vault_key }}
    owner: root
    force: yes
    mode: "{{ vault_file_perm }}"
  when: "'$ANSIBLE_VAULT;' not in config_content.stdout"

- name: Encrypt input config file
  command: >-
    ansible-vault encrypt "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
    --vault-password-file "{{ role_path }}/../../control_plane/{{ vault_filename }}"
  changed_when: false

- name: Update login_vars.yml permission
  file:
    path: "{{ role_path }}/../../control_plane/{{ login_vars_filename }}"
    mode: "{{ vault_file_perm }}"