#- name: Remove demo certs
#  ## 732 will not be needed
#  file:
#    path: "{{ item }}"
#    state: absent
#  with_items:
#    - "{{ opendistro_conf_path }}/kirk.pem"
#    - "{{ opendistro_conf_path }}/kirk-key.pem"
#    - "{{ opendistro_conf_path }}/esnode.pem"
#    - "{{ opendistro_conf_path }}/esnode-key.pem"

- name: Configure IP (Private address)
  set_fact:
    target_address: "{{ hostvars[inventory_hostname]['private_ip'] if not single_node else elasticsearch_network_host }}"
  when:
    - hostvars[inventory_hostname]['private_ip'] is defined

- name: Configure IP (Public address)
  set_fact:
    target_address: "{{ inventory_hostname if not single_node else elasticsearch_network_host }}"
  when:
    - hostvars[inventory_hostname]['private_ip'] is not defined


- name: Copy the node & admin certificates to Elasticsearch cluster
  copy:
    src: "{{ local_certs_path }}/certs/{{ item }}"
    dest: "{{ opendistro_conf_path }}/certs/"
    mode: 0644
  become: yes
  with_items:
    - root-ca.pem
    - root-ca.key
    - "{{ elasticsearch_node_name }}-key.pem"
    - "{{ elasticsearch_node_name }}.pem"
    #- "{{ elasticsearch_node_name }}_http.key"
    #- "{{ elasticsearch_node_name }}_http.pem"
    #- "{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml"
    - admin-key.pem
    - admin.pem

#- name: Copy the OpenDistro security configuration file to cluster
#  blockinfile:
#    block: "{{ lookup('file', snippet_path ) }}"
#    dest: "{{ opendistro_conf_path }}/elasticsearch.yml"
#    insertafter: EOF
#    marker: "## {mark} Opendistro Security Node & Admin certificates configuration ##"
#  vars:
#    snippet_path: '{{ local_certs_path }}/certs/{{ elasticsearch_node_name }}_elasticsearch_config_snippet.yml'

#- name: Prepare the OpenDistro security configuration file
#  replace:
#    path: "{{ opendistro_conf_path }}/elasticsearch.yml"
#    regexp: 'searchguard'
#    replace: 'opendistro_security'
#  tags: local

- name: Restart elasticsearch with security configuration
  systemd:
    name: wazuh-indexer
    state: restarted

- name: Copy the OpenDistro security internal users template
  template:
    src: "templates/internal_users.yml.j2"
    dest: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
    mode: 0644
  run_once: true

- name: Hashing the custom admin password
  command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_admin_password }}" # noqa 301
  register: opendistro_admin_password_hashed
  no_log: '{{ opendistro_nolog_sensible | bool }}'
  run_once: true

- name: Set the Admin user password
  replace:
    path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
    regexp: '(?<=admin:\n  hash: )(.*)(?=)'
    replace: "{{ odfe_password_hash | quote }}"
  vars:
    odfe_password_hash: "{{ opendistro_admin_password_hashed.stdout_lines | last }}"
  run_once: true

# this can also be achieved with password_hash, but it requires dependencies on the controller
- name: Hash the kibanaserver role/user pasword
  command: "{{ opendistro_sec_plugin_tools_path }}/hash.sh -p {{ opendistro_kibana_password }}" # noqa 301
  register: opendistro_kibanaserver_password_hashed
  no_log: '{{ opendistro_nolog_sensible | bool }}'
  run_once: true

- name: Set the kibanaserver user password
  replace:
    path: "{{ opendistro_sec_plugin_conf_path }}/internal_users.yml"
    regexp: '(?<=kibanaserver:\n  hash: )(.*)(?=)'
    replace: "{{ odfe_password_hash | quote }}"
  vars:
    odfe_password_hash: "{{ opendistro_kibanaserver_password_hashed.stdout_lines | last }}"
  run_once: true

- name: Initialize the OpenDistro security index in elasticsearch
  command: >
    sudo -u wazuh-indexer OPENSEARCH_PATH_CONF=/etc/wazuh-indexer
    JAVA_HOME=/usr/share/wazuh-indexer/jdk
    {{ opendistro_sec_plugin_tools_path }}/securityadmin.sh
    -cd {{ opendistro_sec_plugin_tools_path }}/
    -icl -p 9800 -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig
    -cacert {{ opendistro_conf_path }}/certs/root-ca.pem
    -cert {{ opendistro_conf_path }}/certs/admin.pem
    -key {{ opendistro_conf_path }}/certs/admin-key.pem
    -nhnv
    -h {{ target_address }}
  run_once: true # noqa 301

- name: Create custom user
  uri:
    url: "https://{{ target_address }}:{{ opendistro_http_port }}/_plugins/_security/api/internalusers/{{ opendistro_custom_user }}"
    method: PUT
    user: "admin" # Default OpenDistro user is always "admin"
    password: "{{ opendistro_admin_password }}"
    body: |
      {
        "password": "{{ opendistro_admin_password }}",
        "backend_roles": ["{{ opendistro_custom_user_role }}"]
      }
    body_format: json
    validate_certs: no
    status_code: 200,201,401
    return_content: yes
    timeout: 4
  when:
    - opendistro_custom_user is defined and opendistro_custom_user