- name: Deploy consul cluster
  hosts:
    - consul
  vars:

  gather_facts: true
  tasks:

    - name: Install zip utils
      apk:
        name:
          - unzip
          - consul
        state: present

    - name: Check for upgrade requirement
      shell: /usr/sbin/consul version
      register: consul_version
      changed_when: false

    - name: Apply upgrades if needed
      block:
        - name: Obtain consul binary
          get_url:
            url: https://releases.hashicorp.com/consul/1.10.4/consul_1.10.4_linux_amd64.zip
            dest: /tmp/consul.zip
        - name: Remove old consul binary
          file:
            path: /usr/sbin/consul
            state: absent
        - name: Expand binary
          unarchive:
            src: /tmp/consul.zip
            dest: /usr/sbin/
            remote_src: yes
      when: consul_version.stdout.find('Consul v1.10.4') == -1

    - name: Create keys directory
      file:
        path: /etc/consul.keys
        state: directory
        owner: root
    - name: Set up CA and create certs
      block:
        - name: Create a CA for key creation
          shell: consul tls ca create
          args:
            chdir: /etc/consul.keys
            creates: /etc/consul.keys/consul-agent-ca-key.pem
        - name: Retrieve new CA key and certificate
          fetch:
            src: '/etc/consul.keys/{{item}}'
            dest: 'files/keys/{{item}}'
            flat: yes
          loop:
            - consul-agent-ca-key.pem
            - consul-agent-ca.pem
        - name: Install server certificate script
          copy:
            src: 'files/scripts/consul-server-cert.sh'
            dest: '/usr/sbin/consul-server-cert'
            mode: '0700'
        - name: Create server certificates
          shell: '/usr/sbin/consol-server-cert {{item}}'
          args:
            chdir: /etc/consul.keys
            creates: '/etc/consul.keys/{{item}}.key.pem'
          loop: "{{ groups.consul }}"
        - name: Retrieve server certificates
          fetch:
            src: '/etc/consul.keys/{{item}}.pem'
            dest: 'files/keys/{{item}}.pem'
            flat: yes
          loop: "{{ groups.consul }}"
        - name: Retrieve server keys
          fetch:
            src: '/etc/consul.keys/{{item}}.key.pem'
            dest: 'files/keys/{{item}}.key.pem'
            flat: yes
          loop: "{{ groups.consul }}"          
      when: inventory_hostname in 'cnsl01'
    - name: Distribute CA certificate
      copy:
        src: keys/consul-agent-ca.pem
        dest: /etc/consul.keys/consul-agent-ca.pem
    - name: Distribute certificates and keys
      block:
        - name: Ship certificate
          copy:
            src: "keys/{{inventory_hostname}}.pem"
            dest: "/etc/consul.keys/{{inventory_hostname}}.pem"
        - name: Ship key
          copy:
            src: "keys/{{inventory_hostname}}.key.pem"
            dest: "/etc/consul.keys/{{inventory_hostname}}.key.pem"
      when: inventory_hostname not in 'cnsl01'
    - name: Update server tls config
      template:
        src: tls.json
        dest: /etc/consul/
    
    - name: Copy static server config files
      copy:
        src: files/server_cfg/
        dest: /etc/consul