---
- name: check if server cert is expiring in the next 5 days
  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/docker_registry.crt"
  args:
    executable: /bin/bash
  failed_when: False
  check_mode: False
  changed_when: False
  register: exp

- name: get cert
  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
  args:
    executable: /bin/bash
  environment:
    VAULT_ADDR: http://ivyking.minhas.io:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
  when: exp.rc != 0

- name: write cert data to server
  copy:
    content: "{{ item.content }}"
    dest: "/etc/pki/{{ item.path }}"
    mode: '{{ item.mode }}'
    owner: root
    group: root
  when: cert_data.changed
  loop:
    - {
        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
        path: "certs/docker_registry.crt",
        mode: "0755"
    }
    - {
        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
        path: "keys/docker_registry.key",
        mode: "0600"
    }
- name: ensure python-docker is installed
  apt:
    name: python3-docker
    state: present

- name: ensure docker registry ssl dir
  file:
    path: /etc/docker_registry/
    state: directory
    owner: root
    group: root
    mode: 0755

- name: ensure docker registry cert
  file:
    state: hard
    src: /etc/pki/certs/docker_registry.crt
    dest: /etc/docker_registry/docker_registry.crt
    owner: root
    group: root
    mode: 0644

- name: ensure docker registry private key
  file:
    state: hard
    src: /etc/pki/keys/docker_registry.key
    dest: /etc/docker_registry/docker_registry.key
    owner: root
    group: root
    mode: 0644

- name: ensure docker registry key and cert are available
  file:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    state: hard
  loop:
    - { src: /etc/pki/certs/docker_registry.crt, dest: /etc/docker_registry/docker_registry.crt }
    - { src: /etc/pki/keys/docker_registry.key, dest: /etc/docker_registry/docker_registry.key }

- name: run docker registry
  docker_container:
    name: registry
    image: registry:2
    env:
      REGISTRY_HTTP_ADDR: 0.0.0.0:443
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker_registry.crt
      REGISTRY_HTTP_TLS_KEY: /certs/docker_registry.key
      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/docker:data')['REGISTRY_HTTP_SECRET'] }}"
    ports:
      - "5000:443"
    volumes:
      - "{{ docker_registry_mnt }}:/var/lib/registry"
      - "/etc/docker_registry:/certs"
    restart_policy: always
...