#!/usr/bin/env ansible-playbook
# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0

- name: Bootstrap node
  hosts: default
  gather_facts: no
  tasks:
    - name: Load Arvados configuration file
      no_log: yes
      delegate_to: localhost
      ansible.builtin.include_vars:
        name: arvados_config
        file: "{{ arvados_config_file }}"
    - name: Load Arvados cluster configuration
      no_log: yes
      ansible.builtin.set_fact:
        arvados_cluster: "{{ arvados_config.Clusters[arvados_cluster_id] }}"
      failed_when: arvados_cluster is undefined
    - name: Get Crunch dispatch public key
      no_log: yes
      when: arvados_cluster.Containers.DispatchPrivateKey is defined and arvados_cluster.Containers.DispatchPrivateKey is truthy
      delegate_to: localhost
      block:
        # `ssh-keygen` supports reading stdin for some operations with `-f -`,
        # but `-y` is not one of those operations as of April 2025.
        # We MUST have the dispatch private key in a file with correct
        # permissions for `ssh-keygen -y -f` to read.
        - name: Prepare tempfile for dispatch private key
          ansible.builtin.tempfile:
            suffix: ".key"
          register: key_tempfile

        # Try to parse DispatchPrivateKey as a URL.
        # If it's recognized as a file: URL, copy that path to the tempfile.
        # Otherwise, expect it's the private key,
        # and write that content directly to the tempfile.
        - name: Save dispatch private key to tempfile
          vars:
            key_url: "{{ arvados_cluster.Containers.DispatchPrivateKey | urlsplit }}"
          ansible.builtin.copy:
            src: "{{ key_url.path if key_url.scheme == 'file' else omit }}"
            content: "{{ arvados_cluster.Containers.DispatchPrivateKey|regex_replace('\\n?$', '\\n') if key_url.scheme != 'file' else omit }}"
            dest: "{{ key_tempfile.path }}"
            mode: 0600

        - name: Derive dispatch public key
          ansible.builtin.command:
            argv:
              - ssh-keygen
              - "-y"
              - "-f"
              - "{{ key_tempfile.path }}"
          register: compute_dispatch_ssh_keygen

      always:
        - name: Remove dispatch private key tempfile
          when: key_tempfile is defined
          ansible.builtin.file:
            path: "{{ key_tempfile.path }}"
            state: absent

    - ansible.builtin.include_role:
        name: distro_bootstrap

- name: Set up compute node base distribution
  # `default` is the name that the Packer Ansible plugin assigns to the
  # instance used to create the image.
  hosts: default
  tasks:
    - ansible.builtin.include_role:
        name: arvados_apt
    - name: List linux-image packages pre-upgrade
      ansible.builtin.shell:
        cmd: |
          dpkg-query --list "linux-image-[1-9]*-$(dpkg --print-architecture)" |
          awk '($1 ~ /^[irp][HUFWti]$/) { print $2; }'
      register: linux_image_preupgrade
    - name: apt update if needed
      ansible.builtin.meta: flush_handlers
    - name: Upgrade packages
      become: yes
      ansible.builtin.apt:
        upgrade: true
    - name: Remove unwanted packages
      become: yes
      ansible.builtin.apt:
        state: absent
        purge: true
        name:
          - unattended-upgrades
    - name: List linux-image packages post-upgrade
      ansible.builtin.shell:
        cmd: |
          dpkg-query --list "linux-image-[1-9]*-$(dpkg --print-architecture)" |
          awk '($1 ~ /^[irp][HUFWti]$/) { print $2; }'
      register: linux_image_postupgrade
    # Rebooting now accomplishes a few things: it means we can remove the old
    # linux-image afterward, and the `ansible_kernel` fact will reflect what
    # the image will boot into when used.
    - name: Reboot into new kernel
      when: "linux_image_preupgrade.stdout != linux_image_postupgrade.stdout"
      become: yes
      ansible.builtin.reboot: {}
    - name: Remove old kernel(s)
      when: "linux_image_preupgrade.stdout != linux_image_postupgrade.stdout"
      become: yes
      ansible.builtin.apt:
        state: absent
        purge: true
        name: "{{ linux_image_preupgrade.stdout_lines }}"

- name: Install compute node software
  hosts: default
  tasks:
    - ansible.builtin.include_role:
        name: compute_encrypt_tmp
    - ansible.builtin.include_role:
        name: arvados_compute
    - ansible.builtin.include_role:
        name: compute_docker
      when: "arvados_cluster.Containers.RuntimeEngine == 'docker'"
    - ansible.builtin.include_role:
        name: compute_user

    - name: Configure DNS
      become: yes
      ansible.builtin.lineinfile:
        path: /etc/dhcp/dhclient.conf
        regexp: "^[# ]*prepend +domain-name-servers "
        line: "prepend domain-name-servers {{ dns_resolver }};"
      when: dns_resolver is defined

    - name: Clean apt packages
      become: yes
      ansible.builtin.apt:
        autoremove: true
        clean: true