---
- name: ensure nomad group
  group:
    name: nomad
    state: present
    system: True

- name: ensure nomad user
  user:
    name: nomad
    state: present
    group: nomad
    groups:
      - podman
    append: True
    system: True

- name: ensure nomad config dir
  file:
    path: /etc/nomad.d/
    state: directory
    owner: nomad
    group: nomad
    mode: 0755

- name: ensure nomad data dir
  file:
    path: /opt/nomad
    state: directory
    owner: nomad
    group: nomad
    mode: 0755

- name: check nomad version
  shell:
    cmd: "nomad --version | head -1 | cut -d'v' -f2"
  args:
    executable: /bin/bash
  changed_when: False
  register: installed_nomad_version
  check_mode: False

- name: get nomad
  unarchive:
    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: root
    remote_src: True
  when: installed_nomad_version.stdout != nomad_version

- name: copy nomad unit file
  copy:
    src: files/nomad.service
    dest: /etc/systemd/system/nomad.service
    mode: 0755
    owner: root
    group: root
  notify: daemon_reload

- name: template nomad config
  template:
    src: templates/nomad.hcl.j2
    dest: /etc/nomad.d/nomad.hcl
    owner: root
    group: root
    mode: 0755
  notify: restart_nomad

- name: ensure nomad plugins dir
  file:
    path: /opt/nomad_plugins
    state: directory
    owner: nomad
    group: nomad
    mode: 0755

- name: get nomad podman plugins
  unarchive:
    src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_amd64.zip"
    dest: /opt/nomad_plugins/
    mode: 0755
    owner: nomad
    group: nomad
    remote_src: True

- name: ensure nomad config dir
  file:
    path: /etc/nomad.d/certs/
    state: directory
    owner: nomad
    group: nomad
    mode: 0755

- name: check if server cert is expiring in the next 5 days
  shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
  args:
    executable: /bin/bash
  failed_when: False
  check_mode: False
  changed_when: False
  register: exp

- name: get cert
  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
  args:
    executable: /bin/bash
  environment:
    VAULT_ADDR: http://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
  when: exp.rc != 0
  notify: reload_nomad

- name: write cert data to server
  copy:
    content: "{{ item.content }}"
    dest: "/etc/nomad.d/certs/{{ item.path }}"
    mode: '{{ item.mode }}'
    owner: nomad
    group: nomad
  when: cert_data.changed
  loop:
    - {
        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
        path: "nomad.pem",
        mode: "0755"
    }
    - {
        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
        path: "nomad.key",
        mode: "0600"
    }

- name: ensure nomad is started and enabled
  systemd:
    name: nomad
    state: started
    enabled: True
...