---
- name: Validate parameters
  ansible.builtin.assert:
    that:
      - keycloak.home is defined
      - keycloak_quarkus_service_user is defined
      - keycloak_quarkus_dest is defined
      - keycloak_quarkus_archive is defined
      - keycloak_quarkus_download_url is defined
      - keycloak_quarkus_version is defined
    quiet: true

- name: Check for an existing deployment
  become: true
  ansible.builtin.stat:
    path: "{{ keycloak.home }}"
  register: existing_deploy

- name: "Create {{ keycloak.service_name }} service user/group"
  become: true
  ansible.builtin.user:
    name: "{{ keycloak.service_user }}"
    home: /opt/keycloak
    system: true
    create_home: false

- name: "Create {{ keycloak.service_name }} install location"
  become: true
  ansible.builtin.file:
    dest: "{{ keycloak_quarkus_dest }}"
    state: directory
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0750'

- name: Create directory for ansible custom facts
  become: true
  ansible.builtin.file:
    state: directory
    recurse: true
    path: /etc/ansible/facts.d

## check remote archive
- name: Set download archive path
  ansible.builtin.set_fact:
    archive: "{{ keycloak_quarkus_dest }}/{{ keycloak.bundle }}"

- name: Check download archive path
  become: true
  ansible.builtin.stat:
    path: "{{ archive }}"
  register: archive_path

## download to controller
- name: Check local download archive path
  ansible.builtin.stat:
    path: "{{ lookup('env', 'PWD') }}"
  register: local_path
  delegate_to: localhost
  run_once: true
  become: false

- name: Download keycloak archive
  ansible.builtin.get_url: # noqa risky-file-permissions delegated, uses controller host user
    url: "{{ keycloak_quarkus_download_url }}"
    dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    mode: '0640'
  delegate_to: localhost
  become: false
  run_once: true
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
    - not keycloak.offline_install
    - not rhbk_enable is defined or not rhbk_enable

- name: Perform download from RHN using JBoss Network API
  delegate_to: localhost
  run_once: true
  when:
    - archive_path is defined
    - archive_path.stat is defined
    - not archive_path.stat.exists
    - rhbk_enable is defined and rhbk_enable
    - not keycloak.offline_install
  block:
    - name: Retrieve product download using JBoss Network API
      middleware_automation.common.product_search:
        client_id: "{{ rhn_username }}"
        client_secret: "{{ rhn_password }}"
        product_type: DISTRIBUTION
        product_version: "{{ rhbk_version }}"
        product_category: "{{ rhbk_product_category }}"
      register: rhn_products
      no_log: "{{ omit_rhn_output | default(true) }}"
      delegate_to: localhost
      run_once: true

    - name: Determine install zipfile from search results
      ansible.builtin.set_fact:
        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + rhbk_archive + '$') }}"
      delegate_to: localhost
      run_once: true

    - name: Download Red Hat Build of Keycloak
      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
        client_id: "{{ rhn_username }}"
        client_secret: "{{ rhn_password }}"
        product_id: "{{ (rhn_filtered_products | first).id }}"
        dest: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
        mode: '0640'
      no_log: "{{ omit_rhn_output | default(true) }}"
      delegate_to: localhost
      run_once: true
      become: false

- name: Check downloaded archive
  ansible.builtin.stat:
    path: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
  register: local_archive_path
  delegate_to: localhost
  become: false
  run_once: true

## copy and unpack
- name: Copy archive to target nodes
  ansible.builtin.copy:
    src: "{{ local_path.stat.path }}/{{ keycloak.bundle }}"
    dest: "{{ archive }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
  register: new_version_downloaded
  when:
    - not archive_path.stat.exists
    - local_archive_path.stat is defined
    - local_archive_path.stat.exists
  become: true

- name: "Check target directory: {{ keycloak.home }}/bin/"
  ansible.builtin.stat:
    path: "{{ keycloak.home }}/bin/"
  register: path_to_workdir
  become: true

- name: "Extract Keycloak archive on target" # noqa no-handler need to run this here
  ansible.builtin.unarchive:
    remote_src: true
    src: "{{ archive }}"
    dest: "{{ keycloak_quarkus_dest }}"
    creates: "{{ keycloak.home }}/bin/"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
  become: true
  when:
    - (not path_to_workdir.stat.exists) or new_version_downloaded.changed
  notify:
    - restart keycloak

- name: Inform decompression was not executed
  ansible.builtin.debug:
    msg: "{{ keycloak.home }} already exists and version unchanged, skipping decompression"
  when:
    - (not new_version_downloaded.changed) and path_to_workdir.stat.exists

- name: "Copy private key to target"
  ansible.builtin.copy:
    content: "{{ keycloak_quarkus_key_content }}"
    dest: "{{ keycloak_quarkus_key_file }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
  become: true
  when:
    - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
    - keycloak_quarkus_key_file_copy_enabled is defined and keycloak_quarkus_key_file_copy_enabled
    - keycloak_quarkus_key_content | length > 0

- name: "Copy certificate to target"
  ansible.builtin.copy:
    src: "{{ keycloak_quarkus_cert_file_src }}"
    dest: "{{ keycloak_quarkus_cert_file }}"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0644'
  become: true
  when:
    - keycloak_quarkus_https_key_file_enabled is defined and keycloak_quarkus_https_key_file_enabled
    - keycloak_quarkus_cert_file_copy_enabled is defined and keycloak_quarkus_cert_file_copy_enabled
    - keycloak_quarkus_cert_file_src | length > 0

- name: "Install {{ keycloak_quarkus_jdbc_engine }} JDBC driver"
  ansible.builtin.include_tasks: jdbc_driver.yml
  when:
    - rhbk_enable is defined and rhbk_enable
    - keycloak_quarkus_default_jdbc[keycloak_quarkus_jdbc_engine].driver_jar_url is defined

- name: "Download custom providers"
  ansible.builtin.get_url:
    url: "{{ item.url }}"
    dest: "{{ keycloak.home }}/providers/{{ item.id }}.jar"
    owner: "{{ keycloak.service_user }}"
    group: "{{ keycloak.service_group }}"
    mode: '0640'
  become: true
  loop: "{{ keycloak_quarkus_providers }}"
  when: item.url is defined and item.url | length > 0
  notify: "{{ ['rebuild keycloak config', 'restart keycloak'] if not item.restart is defined or not item.restart else [] }}"