---
# Probably want to split this out into a proper certificate management role for Toal.ca
- name: Request TLS Certificate from LetsEncrypt
  hosts: localhost
  connection: local
  gather_facts: false
  # This doesn't belong here
  vars:
    acme_email: ptoal@takeflight.ca
    challenge: dns-01
    dns_provider: dme
    root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
    domains:
      - rhv.mgmt.toal.ca
      - rhv.lan.toal.ca

  pre_tasks:
    - name: Ensure Let's Encrypt Account Exists
      acme_account:
          state: present
          acme_directory: "{{ acme_directory }}"
          terms_agreed: true
          allow_creation: true
          contact:
            - mailto:ptoal@takeflight.ca
          account_key_content: "{{ acme_key }}"
          acme_version: 2
  roles:
    - acme-certificate


- name: Install custom CA Certificate in RHV-M
  hosts: rhv.mgmt.toal.ca
  become: true

  tasks:
    - name: Certificate trust in store
      copy:
        src: "{{ acme_rootchain_file }}"
        dest: /etc/pki/ca-trust/source/anchors/
      register: rootchain_result
      notify: restart httpd

    - name: Certificate store updated
      command: /usr/bin/update-ca-trust
      when: rootchain_result.changed
      notify: restart httpd

    - name: CA Rootchain in Apache config
      copy:
        src: "{{ acme_rootchain_file }}"
        dest: /etc/pki/ovirt-engine/apache-ca.pem
        backup: yes
      notify: restart httpd

    - name: Private key installed
      copy:
        src: "{{ acme_key_file }}"
        dest: /etc/pki/ovirt-engine/keys/apache.key.nopass
        backup: yes
      notify: restart httpd

    - name: Certificate installed
      copy:
        src: "{{ acme_cert_file }}"
        dest: /etc/pki/ovirt-engine/certs/apache.cer
        backup: yes
      notify: restart httpd

    - name: Trust Store Configuration
      copy:
        dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf
        content: |
          ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
          ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
      notify:
        - restart ovn
        - restart ovirt-engine

    - name: Websocket Proxy configuration
      lineinfile:
          path: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf
          state: present
          backup: yes
          line: "{{ item }}"
      loop:
        - SSL_CERTIFICATE=/etc/pki/ovirt-engine/apache.cer
        - SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass
      notify:
        - restart ovn
        - restart ovirt-engine

  handlers:
    - name: restart httpd
      service:
        name: httpd
        state: restarted

    - name: restart ovn
      service:
        name: ovirt-provider-ovn
        state: restarted

    - name: restart ovirt-engine
      service:
        name: ovirt-engine
        state: restarted


- name: Create RHV/ovirt VLANs
  hosts: rhv.mgmt.toal.ca
  connection: local
  vars:
    # Hack to work around virtualenv python interpreter
    ansible_python_interpreter: "{{ ansible_playbook_python }}"
  tasks:
    - ovirt_network:
        auth: "{{ ovirt_auth }}"
        fetch_nested: true
        data_center: "{{ item.data_center }}"
        name: "{{ item.name }}"
        vlan_tag: "{{ item.vlan_tag|default(omit) }}"
        vm_network: "{{ item.vm_network }}"
        mtu: "{{ item.mtu }}"
        description: "{{ item.description }}"
      loop: "{{ ovirt_networks }}"
      register: networkinfo

    - debug: msg="{{networkinfo}}"