# warning: diff:true should not be enabled on template/copy ansible modules
# because it would show clear-text passwords in CI/CD
# TODO maybe try show diff with debug and regex filter

- name: setup fluent-bit for logs and metrics
  gather_facts: yes
  hosts: debian_host
  become: true
  vars:

    auth_log_file: "{{ 'auth.log' if ansible_facts['os_family'] == 'Debian' else 'secure' }}"

  tasks:

  #
  # mandatory checks - will stop tasks if fails
  #

  # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/wait_for_module.html
  - name: time-series server is reachable
    wait_for: host={{tsdb_host}} port={{tsdb_port}} timeout=1

  - name: log server is reachable
    wait_for: host={{log_host}} port={{log_port}} timeout=1

  # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/shell_module.html
  - name: fluent-bit is installed
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x /opt/fluent-bit/bin/fluent-bit || -x /usr/local/bin/fluent-bit ]] && [[ -d /etc/fluent-bit/ ]]"
    changed_when: false

  # TODO install geoipupdate --or-- grab once and deploy more
  - name: mmdb files are there
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "ls -lhF /etc/fluent-bit/*.mmdb"
    changed_when: false

  - name: auth log is there
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "ls -lhF /var/log/{{ auth_log_file }}"
    register: autl_log_there
    changed_when: false

  #
  # host-specific checks - run BEFORE base config template
  # AnsibleFilterError: The 'failed' test expects a dictionary
  #

  - name: check whether systemd is available
    ansible.builtin.shell:
      executable: /bin/bash
      cmd: "[[ -x `which systemctl` && -x /lib/systemd/systemd ]]"
    register: systemd_there
    ignore_errors: true
    changed_when: false

  #
  # deploy base configs
  #

  # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html
  - name: base config templates
    ansible.builtin.template:
      src: "{{ item }}"
      dest: /etc/fluent-bit/{{ item | basename | regex_replace('\.j2$', '') }}
    with_items: "{{ 'templates/*.conf.j2' | fileglob }}"
    notify: restart fluentbit
    #no_log: true

  # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html
  - name: base config files
    ansible.builtin.copy:
      src: "{{ item }}"
      dest: /etc/fluent-bit/
    with_items: "{{ 'templates/*.conf' | fileglob }}"
    notify: restart fluentbit

  #
  # eventually deploy non-systemd configs & scripts
  #

  - name: non-systemd configs
    ansible.builtin.copy:
      src: templates/RESTART-FLUENTBIT
      dest: /etc/fluent-bit/
      mode: "700"
    when: systemd_there is failed
    notify: restart fluentbit

  handlers:

  # reload possible but full restart doesn't hurt much
  # and surely works even on heavy config changes
  - name: restart fluentbit
    ansible.builtin.shell:
      executable: /bin/bash
      # use custom wrapper in case of non-systemd init
      cmd: "[[ -x /lib/systemd/systemd ]] && systemctl restart fluent-bit.service || /etc/fluent-bit/RESTART-FLUENTBIT"