# warning diff:true should not be enabled on CI/CD because it would show clear-text passwords
# todo - maybe try show diff with debug and regex filter

- name: setup fluent-bit for logs and metrics
  gather_facts: no
  hosts: "{{target}}"
  become: "{{become}}"
  tasks:

  - name: check fluentbit is installed
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x /opt/fluent-bit/bin/fluent-bit ]]"
    changed_when: false
    check_mode: false

  # required e.g. by flb_auth and flb_sshguard
  - name: define distro
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "lsb_release -is 2>/dev/null | tr A-Z a-z || echo unknown"
    register: distro
    changed_when: false
    check_mode: false
  - debug: var=distro.stdout

  #
  # host-specific checks - run BEFORE base config template
  #

  - name: check whether systemd is available
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x `which systemctl` && -x /lib/systemd/systemd ]] && echo there || echo absent"
    register: systemd
    changed_when: false
    check_mode: false

  #
  # deploy base configs
  #

  - name: base config templates
    ansible.builtin.template:
      src: "{{ item }}"
      dest: /etc/fluent-bit/{{ item | basename | regex_replace('\.j2$', '') }}
      # credentials are in there - prevent system-wide read access
      mode: 0600
    #with_items: "{{ 'flb/*.conf.j2' | fileglob }}"
    with_fileglob: "flb/*.conf.j2"
    notify: restart fluent-bit
    diff: true

  - name: base config files
    ansible.builtin.copy:
      src: "{{ item }}"
      dest: /etc/fluent-bit/
    #with_items: "{{ 'flb/*.conf' | fileglob }}"
    with_fileglob: "flb/*.conf"
    notify: restart fluent-bit
    diff: true

  - name: download mmdb files
    ansible.builtin.get_url:
      url: "{{url_geoip}}/{{item}}"
      dest: /etc/fluent-bit/{{item}}
      mode: 0400
      validate_certs: false
      use_netrc: false
      force: true
    loop: "{{mmdb_files}}"
    notify: restart fluent-bit
    when: mmdb_files is defined

  #
  # setup fluent-bit addon configs for metrics and logs
  #

  # deploy host-specific includes first, as the template engine eventually merges them
  - name: host-specific addon config files
    ansible.builtin.copy:
      src: "flb-addons/incl_{{item}}_{{inventory_hostname_short}}.conf"
      dest: /etc/fluent-bit/
    loop: "{{addons}}"
    notify: restart fluent-bit
    diff: true
    # those might not exist for this addon
    # todo - try to use fileglob + loop without include_tasks - don't want yet another yaml file
    failed_when: false

  # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_loops.html#iterating-over-a-simple-list
  - name: defined addon config templates
    ansible.builtin.template:
      src: "flb-addons/flb_{{item}}.conf.j2"
      dest: "/etc/fluent-bit/flb_{{item}}.conf"
      # credentials are in there - prevent system-wide read access
      mode: 0600
    loop: "{{addons}}"
    notify: restart fluent-bit
    diff: true

  - name: defined addon lua scripts
    ansible.builtin.copy:
      src: "flb-addons/flb_{{item}}.lua"
      dest: /etc/fluent-bit/
    loop: "{{addons}}"
    notify: restart fluent-bit
    diff: true
    # those might not exist for this addon
    # todo - try to use fileglob + loop without include_tasks - don't want yet another yaml file
    failed_when: false

  - name: defined addon custom parsers
    ansible.builtin.copy:
      src: "flb-addons/custom_parsers_{{item}}.conf"
      dest: /etc/fluent-bit/
    loop: "{{addons}}"
    notify: restart fluent-bit
    diff: true
    # those might not exist for this addon
    # todo - try to use fileglob + loop without include_tasks - don't want yet another yaml file
    failed_when: false

  - name: defined addon custom streams
    ansible.builtin.copy:
      src: "flb-addons/custom_streams_{{item}}.conf"
      dest: /etc/fluent-bit/
    loop: "{{addons}}"
    notify: restart fluent-bit
    diff: true
    # those might not exist for this addon
    # todo - try to use fileglob + loop without include_tasks - don't want yet another yaml file
    failed_when: false

  # some addons require additional artillery

  - name: handle specific logs on netbird VPN gateways
    ansible.builtin.include_tasks: tasks-nbpeers.yml
    when: "'nbpeers' in addons"

  - name: handle ngenix s3 archived logs
    ansible.builtin.include_tasks: tasks-nge-archive.yml
    when: "'nge-archive' in addons"

  - name: handle custom osearch metrics
    ansible.builtin.include_tasks: tasks-osearch_metrics.yml
    when: "'osearch_metrics' in addons"

  - name: handle specific logs for wireguard VPN gateways
    ansible.builtin.include_tasks: tasks-wgpeers.yml
    when: "'wgpeers' in addons"

  # a modern debian or redhat based system is not always
  # nor necessarily what you have, want or need

  - name: deploy non-systemd scripts
    ansible.builtin.include_tasks: tasks-slackware.yml
    when: systemd.stdout == 'absent'

  handlers:

  # reload possible but full restart doesn't hurt much
  # and surely works even on heavy config changes

  - name: restart fluent-bit
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "systemctl restart fluent-bit.service"
    when: systemd.stdout == 'there'

  # use custom wrapper in case of non-systemd init
  - name: restart fluent-bit 
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: /etc/fluent-bit/RESTART-FLUENTBIT
    when: systemd.stdout == 'absent'