---
# Copyright 2024 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

#
# NOTE: Playbook migrated to: roles/cifmw_nfs/tasks/main.yml.
# DO NOT EDIT THIS PLAYBOOK. IT WILL BE REMOVED IN NEAR FUTURE..
#

- name: Deploy an NFS server
  become: true
  hosts: "{{ groups[cifmw_nfs_target | default('computes')][0] | default([]) }}"
  pre_tasks:
    - name: End play early if no NFS is needed
      when:
        - not cifmw_edpm_deploy_nfs | default(false) | bool
      ansible.builtin.meta: end_play
  vars:
    nftables_path: /etc/nftables
    nftables_conf: /etc/sysconfig/nftables.conf
  tasks:
    - name: Set custom cifmw PATH reusable fact
      tags:
        - always
      when:
        - cifmw_path is not defined
      ansible.builtin.set_fact:
        cifmw_path: "{{ ansible_user_dir }}/.crc/bin:{{ ansible_user_dir }}/.crc/bin/oc:{{ ansible_user_dir }}/bin:{{ ansible_env.PATH }}"
        cacheable: true

    - name: Install required packages
      ansible.builtin.package:
        name:
          - nfs-utils
          - iptables

    - name: Configure nfs to use v4 only
      community.general.ini_file:
        path: /etc/nfs.conf
        section: nfsd
        option: vers3
        value: n
        backup: true
        mode: "0644"

    - name: Disable NFSv3-related services
      ansible.builtin.systemd_service:
        name: "{{ item }}"
        masked: true
      loop:
        - rpc-statd.service
        - rpcbind.service
        - rpcbind.socket

    - name: Ensure shared folder exist
      ansible.builtin.file:
        path: "/data/{{ item }}"
        state: directory
        mode: '755'
      loop: "{{ cifmw_nfs_shares }}"

    - name: Set nfs network vars
      delegate_to: controller
      environment:
        KUBECONFIG: "{{ cifmw_openshift_kubeconfig }}"
        PATH: "{{ cifmw_path }}"
      vars:
        _nfs_network_name: "{{ cifmw_nfs_network | default('storage') }}"
        _nfs_host: "{{ [groups[cifmw_nfs_target | default('computes')][0], ansible_domain] | select() | join('.') | default('') }}"
        _ipset_namespace: "{{ cifmw_install_yamls_defaults['NAMESPACE'] | default('openstack') }}"
      ansible.builtin.command:
        cmd: oc get ipset {{ _nfs_host }} -n {{ _ipset_namespace }} -o jsonpath='{.status.reservations[?(@.network=="{{ _nfs_network_name }}")]}'
      register: cifmw_nfs_network_out

    - name: Store nfs network vars
      delegate_to: controller
      ansible.builtin.copy:
        dest: "{{ cifmw_basedir }}/artifacts/parameters/nfs-params.yml"
        content: >-
          {{
            {
            'cifmw_nfs_ip': cifmw_nfs_network_out.stdout | from_json | json_query('address'),
            'cifmw_nfs_network_range': cifmw_nfs_network_out.stdout | from_json | json_query('cidr')
            } | to_nice_yaml
          }}
        mode: "0644"

    # NOTE: This represents a workaround because there's an edpm-nftables role
    #       in edpm-ansible already. That role should contain the implementation
    #       of the firewall rules for NFS, and they should be included in the
    #       main edpm-rules.nft file. The following firewall config assumes that
    #       the EDPM node has been configured in terms of networks and firewall.
    - name: Configure firewall
      become: true
      tags:
        - nft
      block:
        - name: Generate nftables rules file
          ansible.builtin.copy:
            content: |
              add rule inet filter EDPM_INPUT tcp dport 2049 accept
            dest: "{{ nftables_path }}/nfs-server.nft"
            mode: '0666'

        - name: Update nftables.conf and include nfs rules at the bottom
          ansible.builtin.lineinfile:
            path: "{{ nftables_conf }}"
            line: include "{{ nftables_path }}/nfs-server.nft"
            insertafter: EOF

        - name: Restart nftables service
          ansible.builtin.systemd:
            name: nftables
            state: restarted

    - name: Configure the ip the nfs server should listen on
      community.general.ini_file:
        path: /etc/nfs.conf
        section: nfsd
        option: host
        value: "{{ cifmw_nfs_network_out.stdout | from_json | json_query('address') }}"
        backup: true
        mode: "0644"

    - name: Enable and restart nfs-server service
      ansible.builtin.systemd:
        name: nfs-server
        state: restarted
        enabled: true

    - name: Add shares to /etc/exports
      ansible.builtin.lineinfile:
        path: /etc/exports
        line: "/data/{{ item }} {{ cifmw_nfs_network_out.stdout | from_json | json_query('cidr') }}(rw,sync,no_root_squash)"
      loop: "{{ cifmw_nfs_shares }}"
      register: _export_shares

    - name: Export the shares # noqa: no-handler
      when:
        - _export_shares.changed
      ansible.builtin.command: exportfs -a