# OpenTofu 小王 - 修复不安全的服务器配置
# terraform 块已在 onecloud1-deploy-clean.tf 中定义

# 需要修复的不安全服务器节点
variable "insecure_servers" {
  type = list(string)
  default = [
    "ash1d",
    "ash2e"
  ]
}

# 为每个服务器节点生成安全配置文件
resource "local_file" "secure_server_configs" {
  for_each = toset(var.insecure_servers)
  
  filename = "${path.module}/generated/${each.key}-server-secure.hcl"
  content = replace(
    file("${path.module}/../nomad-configs-tofu/server-template-secure.hcl"),
    "NODE_NAME",
    each.key
  )
}

# 部署安全配置到每个服务器节点
resource "null_resource" "fix_insecure_servers" {
  for_each = toset(var.insecure_servers)
  
  depends_on = [local_file.secure_server_configs]
  
  provisioner "local-exec" {
    command = <<EOF
echo "=== 修复 ${each.key} 的不安全配置 ==="
echo "开始时间: $(date)"

echo "1. 测试连接 ${each.key}..."
ping -c 1 ${each.key}.tailnet-68f9.ts.net || echo "   - ${each.key} ping 失败"

echo "2. 上传安全配置文件..."
sshpass -p '3131' scp -o StrictHostKeyChecking=no -o ConnectTimeout=5 \
  ${path.module}/generated/${each.key}-server-secure.hcl \
  ben@${each.key}.tailnet-68f9.ts.net:/tmp/nomad-secure.hcl && echo "   - 文件上传成功" || echo "   - 文件上传失败"

echo "3. 备份旧配置并部署安全配置..."
sshpass -p '3131' ssh -o StrictHostKeyChecking=no -o ConnectTimeout=5 \
  ben@${each.key}.tailnet-68f9.ts.net \
  "echo '=== ${each.key} 安全配置部署开始 ==='; \
   echo '3131' | sudo -S systemctl stop nomad; \
   echo '备份不安全的配置...'; \
   echo '3131' | sudo -S cp /etc/nomad.d/nomad.hcl /etc/nomad.d/nomad.hcl.insecure.backup.\$(date +%Y%m%d_%H%M%S); \
   echo '部署安全配置...'; \
   echo '3131' | sudo -S cp /tmp/nomad-secure.hcl /etc/nomad.d/nomad.hcl; \
   echo '清理 Raft 数据以重新加入集群...'; \
   echo '3131' | sudo -S rm -rf /opt/nomad/data/server/raft/; \
   echo '启动服务...'; \
   echo '3131' | sudo -S systemctl start nomad; \
   sleep 10; \
   echo '检查服务状态...'; \
   echo '3131' | sudo -S systemctl status nomad --no-pager; \
   echo '=== ${each.key} 安全配置部署完成 ==='" && echo "   - ${each.key} 安全修复成功" || echo "   - ${each.key} 安全修复失败"

echo "=== ${each.key} 安全修复完成！时间: $(date) ==="
EOF
  }
  
  triggers = {
    config_hash = local_file.secure_server_configs[each.key].content_md5
    deploy_time = timestamp()
  }
}

output "security_fix_summary" {
  value = {
    fixed_servers = var.insecure_servers
    config_files = [for server in var.insecure_servers : "${server}-server-secure.hcl"]
    deploy_time = timestamp()
  }
}