---
- name: ensure consul group
  group:
    name: consul
    state: present
    system: True

- name: ensure consul user
  user:
    name: consul
    state: present
    group: consul
    system: True

- name: ensure consul config dir
  file:
    path: /usr/local/etc/consul.d/
    state: directory
    owner: consul
    group: consul
    mode: 0755

- name: ensure consul config dir
  file:
    path: /usr/local/etc/consul.d/certs
    state: directory
    owner: consul
    group: consul
    mode: 0755

- name: check if server cert is expiring in the next 5 days
  shell: "openssl x509 -checkend 432000 -noout -in /usr/local/etc/consul.d/certs/consul-server.pem"
  args:
    executable: /usr/local/bin/bash
  failed_when: False
  check_mode: False
  changed_when: False
  register: exp

- name: get cert
  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} alt_names=consul.service.{{ consul_domain }},consul.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
  args:
    executable: /usr/local/bin/bash
  environment:
    VAULT_ADDR: http://ivyking.minhas.io:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
  when: exp.rc != 0
  notify: reload_consul

- name: write cert data to server
  copy:
    content: "{{ item.content }}"
    dest: "/usr/local/etc/consul.d/certs/{{ item.path }}"
    mode: '{{ item.mode }}'
    owner: consul
    group: consul
  when: cert_data.changed
  loop:
    - {
        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
        path: "consul-server.pem",
        mode: "0755"
    }
    - {
        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
        path: "consul-server.key",
        mode: "0600"
    }

- name: ensure consul data dir
  file:
    path: /opt/consul
    state: directory
    owner: consul
    group: consul
    mode: 0755

- name: check consul version
  shell:
    cmd: "consul --version | head -1 | cut -d'v' -f2"
  args:
    executable: /usr/local/bin/bash
  changed_when: False
  failed_when: False
  register: installed_consul_version
  check_mode: False

- name: get consul
  pkgng:
    name: consul-{{ consul_version }}
    state: present

- name: template consul config
  template:
    src: templates/consul.hcl.j2
    dest: /usr/local/etc/consul.d/consul.hcl
    owner: root
    group: consul
    mode: 0750
  notify: restart_consul_fbsd

- name: enable and start consul
  service:
    name: consul
    state: started
    enabled: True
...