---
- name: See if k3s file exists
  ansible.builtin.stat:
    path: /usr/local/bin/k3s
  register: k3s_status

- name: Download K3s install script to /tmp/
  when: not k3s_status.stat.exists
  ansible.builtin.get_url:
    url: https://get.k3s.io
    dest: /tmp/k3s_install.sh
    mode: "0755"

- name: Install K3s server with node taint and TLS SAN
  when: (ansible_default_ipv4.address == k3s_primary_server_ip and (not k3s_status.stat.exists))
  ansible.builtin.command: |
    /tmp/k3s_install.sh server \
    --node-taint CriticalAddonsOnly=true:NoExecute \
    --tls-san {{ hostvars['k3s-loadbalancer'].ansible_default_ipv4.address }}
    --tls-san {{ k3s_server_name }}
  become: true
  async: 300
  poll: 0
  register: k3s_primary_install

- name: Wait for K3s to be installed
  when: (ansible_default_ipv4.address == k3s_primary_server_ip and (not k3s_status.stat.exists))
  ansible.builtin.async_status:
    jid: "{{ k3s_primary_install.ansible_job_id }}"
  register: k3s_primary_install_status
  until: k3s_primary_install_status.finished
  retries: 60
  delay: 5
  become: true

- name: Check if k3s token vault file already exists
  ansible.builtin.stat:
    path: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
  register: k3s_vault_file_stat
  delegate_to: localhost
  run_once: true

- name: Get K3s token from the first server
  when:
    - ansible_default_ipv4.address == k3s_primary_server_ip
    - not k3s_vault_file_stat.stat.exists
  ansible.builtin.slurp:
    src: /var/lib/rancher/k3s/server/node-token
  register: k3s_token
  become: true

- name: Set fact on k3s_primary_server_ip
  ansible.builtin.set_fact:
    k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
  when:
    - not k3s_vault_file_stat.stat.exists

- name: Write K3s token to local file for encryption
  ansible.builtin.copy:
    content: |
      k3s_token: "{{ k3s_token }}"
    dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
    mode: "0600"
  delegate_to: localhost
  run_once: true
  when:
    - not k3s_vault_file_stat.stat.exists

- name: Encrypt k3s token
  ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}"
  delegate_to: localhost
  when:
    - not k3s_vault_file_stat.stat.exists

- name: Install K3s on the secondary servers
  when: (ansible_default_ipv4.address != k3s_primary_server_ip and (not k3s_status.stat.exists))
  ansible.builtin.command: |
    /tmp/k3s_install.sh server \
    --node-taint CriticalAddonsOnly=true:NoExecute \
    --tls-san {{ k3s.loadbalancer.ip }}
  environment:
    K3S_TOKEN: "{{ k3s_token }}"
  become: true