---
- hosts: "hostnode"
  name: Teleport setup
  vars:
  become: true
  pre_tasks:
    - name: Load variables
      ansible.builtin.include_vars: '{{ item }}'
      with_first_found:
        - "vars/default.yml"
  tasks:
    - name: Check if teleport is installed.
      ansible.builtin.shell: "teleport version"
      register: teleport_bin
      ignore_errors: true

    - name: Ensure teleport is stopped.
      ansible.builtin.service:
        name: 'teleport'
        state: 'stopped'

    - name: install teleport
      ansible.builtin.shell:
        cmd: 'curl https://goteleport.com/static/install.sh | bash -s {{ TELEPORT_VER }}'
      when: not TELEPORT_VER in teleport_bin.stdout

    - name: create teleport.yaml config
      ansible.builtin.blockinfile:
        content: |
          version: v3
          teleport:
            nodename: {{ SUBDOMAIN }}
            data_dir: /var/lib/teleport
            log:
              output: stderr
              severity: INFO
              format:
                output: text
            ca_pin: ""
            diag_addr: ""
          auth_service:
            proxy_listener_mode: multiplex
          ssh_service:
            enabled: "yes"
            commands:
            - name: hostname
              command: [hostname]
              period: 1m0s
          proxy_service:
              enabled: yes
              proxy_protocol: off
              listen_addr: 0.0.0.0:3023
              tunnel_listen_addr: 0.0.0.0:3024
              web_listen_addr: 0.0.0.0:3080
              public_addr: {{ SUBDOMAIN }}:3080
              ssh_public_addr: {{ SUBDOMAIN }}:3023
              tunnel_public_addr: {{ SUBDOMAIN }}:3024
              https_keypairs: 
                - key_file: /var/lib/teleport/webproxy_key.pem
                  cert_file: /var/lib/teleport/webproxy_cert.pem
              https_keypairs_reload_interval: 0
              ui:
                scrollback_lines: 1000
              trust_x_forwarded_for: true
        path: /etc/teleport.yaml 
        create: true
    - name: Generate self signed ssl cert 
      ansible.builtin.shell: openssl req -x509 -newkey rsa:4096 -keyout /var/lib/teleport/webproxy_key.pem -out /var/lib/teleport/webproxy_cert.pem -sha256 -days 3650 -nodes -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN={{ SUBDOMAIN }}"
    
    - name: Ensure teleport has selected state and enabled on boot.
      ansible.builtin.service:
        name: 'teleport'
        state: 'started'
        enabled: yes

    - name: sleep for 10 secs to wait for teleport to start
      ansible.builtin.wait_for:
        timeout: 10

    - name: Get teleport token
      ansible.builtin.shell:
        cmd: 'tctl tokens add --type=node --format=text --insecure' 
        executable: /bin/bash
      register: token

    - name: "Add K8S Token and Hash to dummy host"
      add_host:
        name:   "TELE_TOKEN_HOLDER"
        token_c:  "{{ token.stdout }}"


    - debug:
        msg: '{{ token.stdout }}'

- hosts: "clients"
  name: Client setup
  vars: 
    token_clients: "{{ hostvars['TELE_TOKEN_HOLDER']['token_c'] }}"
  become: true
  pre_tasks:
    - name: Load variables
      ansible.builtin.include_vars: '{{ item }}'
      with_first_found:
        - "vars/default.yml"
  
  tasks:
    - name: Check if teleport is installed.
      ansible.builtin.shell: "teleport version"
      register: teleport_bin_clients
      ignore_errors: true

    - name: install teleport
      ansible.builtin.shell:
        cmd: 'curl https://goteleport.com/static/install.sh | bash -s 13.3.8'
      when: not TELEPORT_VER in teleport_bin_clients.stdout
    
    - name: Ensure teleport is stopped.
      service:
        name: 'teleport'
        state: 'stopped'
      when: teleport_bin_clients

    - name: remove existing config if exists
      ansible.builtin.file:
        path: /etc/teleport.yaml
        state: absent
    
    - name: Create teleport config
      ansible.builtin.shell:
        cmd: '/usr/local/bin/teleport node configure --output=file:///etc/teleport.yaml --token={{ token_clients }} --auth-server={{ SUBDOMAIN }}:3025'
        executable: /bin/bash

    - name: Ensure teleport has selected state and enabled on boot.
      ansible.builtin.service:
        name: 'teleport'
        state: 'started'
        enabled: yes

    - name: open ports for teleport - ubuntu OS
      ansible.builtin.shell:
        cmd: 'ufw allow 3022/tcp'
      when: ansible_facts['distribution'] == "Ubuntu"
    
    - name: Install python3 firewall for rhel
      ansible.builtin.dnf:
        name: python3-firewall
        state: present
      when: ansible_facts['os_family'] == "RedHat"

    - name: open ports for teleport RHEL
      ansible.builtin.firewalld:
        permanent: true
        port: 3022/tcp
        state: enabled
        immediate: true
      when: ansible_facts['os_family'] == "RedHat"

- hosts: "reverseproxy"
  name: reverse proxy setup
  vars:
  become: true
  gather_facts: false
  pre_tasks:
    - name: Load variables
      ansible.builtin.include_vars: '{{ item }}'
      with_first_found:
        - "vars/default.yml"
  tasks:
    - name: set up reverse proxy
      include_tasks: reverseproxy.ansible.yml
      when: REVERSE_PROXY