- hosts: all
  become_user: root

  environment:
    VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"

  tasks:
    - name: Install Dependencies | pip install ply version 3.8 for hvac[parser]
      pip:
        name: ply
        version: "3.8"
        extra_args: --user

    - name: Install Dependencies | Install python packages
      pip:
        name:
          - hvac
          - hvac[parser]
        extra_args: --user

##Install Hashicorp Vault

    - name: Install Vault | Add GPG Key
      shell:
        cmd: "curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -"
    
    - name: Install Vault | Get release codename
      shell:
        cmd: "lsb_release -cs"
        register: codename

    - name: Install Vault | Add repository
      apt_repository:
        repo: "sudo apt-add-repository 'deb [arch=amd64] https://apt.releases.hashicorp.com {{ codename }} main'"

    - name: Install Vault | install Hashicorp Vault
      apt:
        name: vault
        state: latest
        update_cache: yes

    - name: Install Vault | Create a directory if it does not exist
      file:
        path: 
          - "{{ vaultdata }}"
        state: directory
        recurse: yes
        owner: vault
        group: vault
        mode: '0777'

    - name: Install Vault | Remove file vault.hcl (delete file)
      file:
        path: /etc/vault.d/vault.hcl
        state: absent

    - name: Install Vault | Copy Config file
      template:
        dest: /etc/vault.d/vault.hcl
        src: config.hcl.j2
        owner: vault
        group: vault
        mode: '0644'

    - name: Install Vault | Start vault service
      systemd:
        state: restarted
        name: vault
        enabled: yes
        daemon_reload: yes

    - name:  Install Vault | Open port 8200
      ansible.posix.firewalld:
        port: 8200/tcp
        permanent: yes
        state: enabled

    - name: Install Vault | reload service firewalld
      systemd:
        name: firewalld
        state: reloaded

## Create Hashicorp Vault keys and token

    - name: Vault Keys/tokens | Create unseal directories
      file:
        path: "{{ unseal_keys_dir_output }}"
        state: directory

    - name: Vault Keys/tokens | Create root key directories
      file:
        path: "{{ root_token_dir_output }}"
        state: directory

    - name: Vault Keys/tokens | Initialise Vault operator
      shell: vault operator init -key-shares=5 -key-threshold=3 -format json
      environment:
        VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
      register: vault_init_results

    - name: Vault Keys/tokens | Parse output of vault init
      set_fact:
        vault_init_parsed: "{{ vault_init_results.stdout | from_json }}"

    - name: Vault Keys/tokens | Write unseal keys to files
      copy:
        dest: "{{ unseal_keys_dir_output }}/unseal_key_{{ item.0 }}"
        content: "{{ item.1 }}"
      with_indexed_items: "{{ vault_init_parsed.unseal_keys_hex }}"

    - name: Vault Keys/tokens | Write root token to file
      copy:
        content: "{{ vault_init_parsed.root_token }}"
        dest: "{{root_token_dir_output}}/rootkey"

    - name: Vault Keys/tokens | set root token as fact
      set_fact: 
        vault_token: "{{ vault_init_parsed.root_token }}"
        cacheable: yes

    - debug: msg="{{ vault_token }}"

    - name: Vault Keys/tokens | Add environmental vars
      blockinfile:
        path: /etc/environment
        block: |
          export VAULT_ADDR="{{ VAULT_ADDR_ENV }}"
      export VAULT_TOKEN="{{ vault_token }}"

    ## unseal vault

    - name: Vault Keys/tokens | Reading unseal key contents
      command: cat {{item}}
      register: unseal_keys
      with_fileglob: "{{ unseal_keys_dir_output }}/*"

    - name: Vault Keys/tokens | Unseal vault with unseal keys
      shell: |
        vault operator unseal {{ item.stdout }}
      environment:
        VAULT_ADDR: "{{ VAULT_ADDR_ENV }}"
      with_items: "{{unseal_keys.results}}"