---
- hosts: localhost
  gather_facts: false
  tags: always
  vars_files:
    - config.cfg

  tasks:
    - block:
        - name: Get list of installed config files
          find:
            paths: configs/
            depth: 2
            recurse: true
            hidden: true
            patterns: .config.yml
          register: _configs_list

        - name: Verify servers
          assert:
            that: _configs_list.matched > 0
            msg: No servers found, nothing to update.

        - name: Build list of installed servers
          set_fact:
            server_list: >-
              [{% for i in _configs_list.files %}
                {% set config  = lookup('file', i.path)|from_yaml %}
                '{{ config.server }}'
                {{ ',' if not loop.last else '' }}
              {% endfor %}]

        - name: Server address prompt
          pause:
            prompt: |
              Select the server to update user list below:
                {% for r in server_list %}
                {{ loop.index }}. {{ r }}
                {% endfor %}
          register: _server
      when: server is undefined

    - block:
        - name: Set facts based on the input
          set_fact:
            algo_server: >-
              {% if server is defined %}{{ server }}
              {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ] }}
              {%- else %}omit{% endif %}

        - name: Import host specific variables
          include_vars:
            file: configs/{{ algo_server }}/.config.yml

        - when: ipsec_enabled
          block:
            - name: CA password prompt
              pause:
                prompt: Enter the password for the private CA key
                echo: false
              register: _ca_password
              when: ca_password is undefined

            - name: Set facts based on the input
              set_fact:
                CA_password: >-
                  {% if ca_password is defined %}{{ ca_password }}
                  {%- elif _ca_password.user_input %}{{ _ca_password.user_input }}
                  {%- else %}omit{% endif %}

        - name: Local pre-tasks
          import_tasks: playbooks/cloud-pre.yml
          become: false

        - name: Add the server to the vpn-host group
          add_host:
            name: "{{ algo_server }}"
            groups: vpn-host
            ansible_ssh_user: "{{ server_user|default('root') }}"
            ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}"
            ansible_python_interpreter: /usr/bin/python3
            CA_password: "{{ CA_password|default(omit) }}"
      rescue:
        - include_tasks: playbooks/rescue.yml

- name: User management
  hosts: vpn-host
  gather_facts: true
  become: true
  vars_files:
    - config.cfg
    - configs/{{ inventory_hostname }}/.config.yml

  tasks:
    - block:
        - import_role:
            name: common

        - import_role:
            name: wireguard
          when: wireguard_enabled

        - import_role:
            name: strongswan
          when: ipsec_enabled
          tags: ipsec

        - import_role:
            name: ssh_tunneling
          when: algo_ssh_tunneling

        - debug:
            msg:
              - "{{ congrats.common.split('\n') }}"
              - "    {{ congrats.p12_pass if algo_ssh_tunneling or ipsec_enabled else '' }}"
              - "    {{ congrats.ca_key_pass if algo_store_pki and ipsec_enabled else '' }}"
              - "    {{ congrats.ssh_access if algo_provider != 'local' else ''}}"
          tags: always
      rescue:
        - include_tasks: playbooks/rescue.yml