---
- name: ensure pexpect exists
  pip:
    name: pexpect
    state: present

- name: check if server cert is expiring in the next 5 days
  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/nexus.crt"
  args:
    executable: /bin/bash
  failed_when: False
  check_mode: False
  changed_when: False
  register: exp

- name: get cert
  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nexus.service.{{ consul_domain }} alt_names=nexus.service.{{ main_dc_name }}.{{ consul_domain }},docker.service.{{ consul_domain }},docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
  args:
    executable: /bin/bash
  environment:
    VAULT_ADDR: https://vault.service.masked.name:8200
    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
    VAULT_FORMAT: json
  register: cert_data
  when: exp.rc != 0

- name: write cert data to server
  copy:
    content: "{{ item.content }}"
    dest: "/etc/pki/{{ item.path }}"
    mode: '{{ item.mode }}'
    owner: root
    group: root
  when: cert_data.changed
  register: cert_written
  loop:
    - {
        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
        path: "certs/nexus.crt",
        mode: "0755"
    }
    - {
        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
        path: "keys/nexus.key",
        mode: "0600"
    }

# I hate this
- name: create cert for keystore
  shell: for i in nexus.crt MaskedName_Root_CA.pem; do (cat "/etc/pki/certs/${i}"; echo) >> /tmp/keystore.crt; done
  args:
    executable: /bin/bash
  when: cert_written.changed

- name: write keystore
  expect:
    command: "openssl pkcs12 -inkey /etc/pki/keys/nexus.key -in /tmp/keystore.crt -export -out {{ nexus_config_dir }}/etc/ssl/keystore.jks"
    responses:
      Enter Export Password:
        - password
      Verifying - Enter Export Password:
        - password
  when: cert_written.changed
  notify: restart nexus

- name: remove tmp keystore
  file:
    path: /tmp/keystore.crt
    state: absent
  when: cert_written.changed

- name: ensure python-docker is installed
  apt:
    name: python3-docker
    state: present

- name: ensure nexus group exists
  group:
    name: nexus
    state: present
    gid: 200

- name: ensure nexus user exists
  user:
    name: nexus
    group: nexus
    uid: 200
    create_home: False

- name: ensure nexus data dir exists
  file:
    path: "{{ nexus_storage }}"
    state: directory
    owner: nexus
    group: nexus
    mode: 0755

- name: ensure nexus data dir exists
  file:
    path: "{{ nexus_config_dir }}"
    state: directory
    owner: nexus
    group: nexus
    mode: 0755

- name: ensure nexus keystore dir exists
  file:
    path: "{{ nexus_config_dir }}/etc/ssl/"
    state: directory
    owner: nexus
    group: nexus
    mode: 0755

- name: copy nexus.properties
  copy:
    src: files/nexus.properties
    dest: "{{ nexus_storage }}/etc/nexus.properties"

- name: run nexus3
  docker_container:
    name: nexus
    image:  sonatype/nexus3
    env:
      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/nexus.crt
      REGISTRY_HTTP_TLS_KEY: /certs/nexus.key
      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/nexus:data')['REGISTRY_HTTP_SECRET'] }}"
    ports:
      - "8081:8081"
      - "8082:8082"
    volumes:
      - "{{ nexus_storage }}:/nexus-data"
      - "{{ nexus_config_dir }}/etc/ssl:/opt/sonatype/nexus/etc/ssl/"
    restart_policy: always

- name: ensure nexus consul service config exists
  copy:
    src: files/nexus.hcl
    dest: /etc/consul.d/nexus.hcl
    mode: 0750
    owner: consul
    group: consul
  notify: reload consul
...