ansible-consul/tasks/main.yml

---
- name: Read bootstrapped state
  ansible.builtin.stat:
    path: "{{ consul_bootstrap_state }}"
  register: bootstrap_state
  ignore_errors: true


- name: Include OS-specific variables
  ansible.builtin.include_vars: "{{ item }}"
  with_first_found:
    - files:
        - "{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
        - "{{ ansible_os_family }}.yml"
- name: Add hashicorp repo
  ansible.builtin.get_url:
    url: "https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo"
    dest: '/etc/yum.repos.d/hashicorp.repo'
    owner: root
    group: root
    mode: "0644"
  when: ansible_os_family == "RedHat"
- name: Add an Apt signing key, uses whichever key is at the URL
  ansible.builtin.apt_key:
    url: "{{ consul_repo_url }}/gpg"
    state: present
  when: "ansible_os_family|lower == 'debian'"

- name: Add Debian/Ubuntu Linux repository
  ansible.builtin.apt_repository:
    repo: "deb {{ consul_repo_url }} {{ ansible_distribution_release }} main"
    state: present
    update_cache: true
  when: "ansible_os_family|lower == 'debian'"

- name: Install package
  ansible.builtin.package:
    name: "{{ consul_os_package }}"
    state: present
  when: ansible_architecture is not search('aarch*')

- name: Encure data dir exist
  ansible.builtin.file:
    state: directory
    owner: consul
    path: "{{ consul_data_dir }}"
    mode: "0755"

- name: Manage encrypt key
  when:
    - consul_encrypt_enable | bool
  block:
    - name: Check encrypt key in config file
      when:
        - consul_raw_key is not defined
        - bootstrap_state.stat.exists | bool
        - inventory_hostname in consul_servers_list
      block:
        - name: Check for gossip encryption key on previously boostrapped server
          ansible.builtin.slurp:
            src: "{{ consul_config_path }}/config.json"
          register: consul_config_b64
          ignore_errors: true
        - name: Print config
          ansible.builtin.debug:
            msg: "{{ consul_config_b64 }}"
        - name: Deserialize existing configuration
          ansible.builtin.set_fact:
            consul_config: "{{ consul_config_b64.content | b64decode | from_json }}"
          when: consul_config_b64.content is defined and consul_config_b64.content != ""

        - name: Save gossip encryption key from existing configuration
          ansible.builtin.set_fact:
            consul_raw_key: "{{ consul_config.encrypt }}"
          when: consul_config is defined


    # Key provided by extra vars or the above block
    - name: Write gossip encryption key locally for use with new servers
      ansible.builtin.copy:
        content: "{{ consul_raw_key }}"
        dest: '/tmp/consul_raw.key'
        mode: "0600"
      become: false
      vars:
        ansible_become: false
      no_log: true
      delegate_to: localhost
      changed_when: false
      when: consul_raw_key is defined

    - name: Generate new key if none was found
      no_log: true
      run_once: true
      when:
        # if files '/tmp/consul_raw.key' exist
        - lookup('first_found', dict(files=['/tmp/consul_raw.key'], skip=true)) | ternary(false, true)
        - not bootstrap_state.stat.exists | bool
      block:
        - name: Generate gossip encryption key
          ansible.builtin.shell: "PATH={{ consul_bin_path }}:$PATH consul keygen"
          register: consul_keygen
          changed_when: false

        - name: Write key locally to share with other nodes
          ansible.builtin.copy:
            content: "{{ consul_keygen.stdout }}"
            dest: '/tmp/consul_raw.key'
            mode: "0600"
          become: false
          vars:
            ansible_become: false
          delegate_to: localhost
    - name: Read gossip encryption key for servers that require it
      ansible.builtin.set_fact:
        consul_raw_key: "{{ lookup('file', '/tmp/consul_raw.key') }}"
      no_log: true
      when:
        - consul_raw_key is not defined

    - name: Delete gossip encryption key file
      ansible.builtin.file:
        path: '/tmp/consul_raw.key'
        state: absent
      become: false
      vars:
        ansible_become: false
      run_once: true
      delegate_to: localhost
      changed_when: false

- name: Delete hcl config file
  ansible.builtin.template:
    src: consul.hcl.j2
    dest: "{{ consul_config_path }}/consul.hcl"
    owner: consul
    mode: "0644"
  become: true
- name: Apply config template
  notify: reload consul configuration
  block:
    - name: Server template
      ansible.builtin.template:
        src: config.json.j2
        dest: "{{ consul_config_path }}/config.json"
        owner: consul
        mode: "0644"

- name: Configure backup
  when: consul_snapshot
  block:
    - name: Copy backup script
      ansible.builtin.copy:
        dest: "{{ consul_data_dir }}/cs-backup.sh"
        mode: "0744"
        owner: consul
        src: cs-backup.sh
    - name: Consul snaphot cron.d
      ansible.builtin.cron:
        name: consul backup
        user: consul
        state: present
        job: "{{ consul_data_dir }}/cs-backup.sh {{ consul_backup_location }}"
        hour: "{{ consul_cron_hour }}"

- name: Ensure service is started
  ansible.builtin.systemd:
    name: "{{  consul_service_name }}"
    state: started
    enabled: true

- name: Create bootstrapped state file
  ansible.builtin.file:
    dest: "{{ consul_bootstrap_state }}"
    state: touch
    mode: "0600"
  when: not bootstrap_state.stat.exists

- name: Include dnsmasq
  ansible.builtin.include_tasks: dnsmasq.yml
  when: consul_dnsmasq_enable | bool

- name: Include systemd-resolved
  ansible.builtin.include_tasks: systemd-resolved.yml
  when: consul_systemd_resolved_enable