{% from "nova/map.jinja" import controller with context %}

{%- if controller.get('enabled') %}

include:
  {%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}
  - apache
  {%- endif %}
  - nova.db.offline_sync
  # TODO(vsaienko) we need to run online dbsync only once after upgrade
  # Move to appropriate upgrade phase
  - nova.db.online_sync
  - nova._ssl.mysql
  - nova._ssl.rabbitmq
{%- if grains.os_family == 'Debian' %}
debconf-set-prerequisite:
    pkg.installed:
      - name: debconf-utils
      - require_in:
        - debconf: nova_consoleproxy_debconf

nova_consoleproxy_debconf:
  debconf.set:
  - name: nova-consoleproxy
  - data:
      'nova-consoleproxy/daemon_type':
        type: 'string'
        value: 'novnc'
  - require_in:
    - pkg: nova_controller_packages
{%- endif %}

nova_controller_packages:
  pkg.installed:
  - names: {{ controller.pkgs }}

{%- if not salt['user.info']('nova') %}
user_nova:
  user.present:
  - name: nova
  - home: /var/lib/nova
  - shell: /bin/false
  {# note: nova uid/gid values would not be evaluated after user is created. #}
  - uid: {{ controller.get('nova_uid', 303) }}
  - gid: {{ controller.get('nova_gid', 303) }}
  - system: True
  - require_in:
    - pkg: nova_controller_packages
    - sls: nova._ssl.mysql
    - sls: nova._ssl.rabbitmq
{%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}
    - pkg: nova_placement_package
{%- endif %}

group_nova:
  group.present:
    - name: nova
    {# note: nova gid value would not be evaluated after user is created. #}
    - gid: {{ controller.get('nova_gid', 303) }}
    - system: True
    - require_in:
      - user: user_nova
{%- endif %}

{%- if controller.get('concurrency', {}).lock_path is defined %}
nova_controller_lock_path_{{ controller.concurrency.lock_path }}:
  file.directory:
  - name: {{ controller.concurrency.lock_path }}
  - user: nova
  - group: nova
  - mode: 750
  - makedirs: True
  - require:
    - pkg: nova_controller_packages
  - require_in:
    - service: nova_controller_services
{%- endif %}

# Only for Queens. Communication between noVNC proxy service and QEMU
{%- if controller.version not in ['mitaka', 'newton', 'ocata', 'pike'] %}
{%- if controller.novncproxy.vencrypt.tls.get('enabled', False) %}

{%- set ca_file=controller.novncproxy.vencrypt.tls.get('ca_file') %}
{%- set key_file=controller.novncproxy.vencrypt.tls.get('key_file') %}
{%- set cert_file=controller.novncproxy.vencrypt.tls.get('cert_file') %}

novncproxy_vencrypt_ca:
{%- if controller.novncproxy.vencrypt.tls.cacert is defined %}
  file.managed:
    - name: {{ ca_file }}
    - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cacert
    - mode: 644
    - makedirs: true
    - user: root
    - group: nova
    - watch_in:
      - service: nova_controller_services
{%- else %}
  file.exists:
   - name: {{ ca_file }}
{%- endif %}

novncproxy_vencrypt_public_cert:
{%- if controller.novncproxy.vencrypt.tls.cert is defined %}
  file.managed:
    - name: {{ cert_file }}
    - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cert
    - mode: 640
    - user: root
    - group: nova
    - makedirs: true
{%- else %}
  file.exists:
   - name: {{ cert_file }}
{%- endif %}

novncproxy_vencrypt_private_key:
{%- if controller.novncproxy.vencrypt.tls.key is defined %}
  file.managed:
    - name: {{ key_file }}
    - contents_pillar: nova:controller:novncproxy:vencrypt:tls:key
    - mode: 640
    - user: root
    - group: nova
    - makedirs: true
{%- else %}
  file.exists:
   - name: {{ key_file }}
{%- endif %}

novncproxy_vencrypt_set_user_and_group:
  file.managed:
    - names:
      - {{ ca_file }}
      - {{ cert_file }}
      - {{ key_file }}
    - user: root
    - group: nova

{%- endif %}
{%- endif %}

{%- if controller.novncproxy.tls.get('enabled', False) %}
{%- set key_file=controller.novncproxy.tls.server.get('key_file') %}
{%- set cert_file=controller.novncproxy.tls.server.get('cert_file') %}

novncproxy_server_public_cert:
{%- if controller.novncproxy.tls.server.cert is defined %}
  file.managed:
    - name: {{ cert_file }}
    - contents_pillar: nova:controller:novncproxy:tls:server:cert
    - mode: 644
    - makedirs: true
    - user: root
    - group: nova
    - watch_in:
      - service: nova_controller_services
{%- else %}
  file.exists:
   - name: {{ cert_file }}
{%- endif %}

novncproxy_server_private_key:
{%- if controller.novncproxy.tls.server.key is defined %}
  file.managed:
    - name: {{ key_file }}
    - contents_pillar: nova:controller:novncproxy:tls:server:key
    - mode: 640
    - user: root
    - group: nova
    - makedirs: true
{%- else %}
  file.exists:
   - name: {{ key_file }}
{%- endif %}

novncproxy_server_set_user_and_group:
  file.managed:
    - names:
      - {{ cert_file }}
      - {{ key_file }}
    - user: root
    - group: nova

{%- endif %}

{%- if controller.get('networking', 'default') == "contrail" and controller.version == "juno" %}

contrail_nova_packages:
  pkg.installed:
  - names:
    - contrail-nova-driver
    - contrail-nova-networkapi

{%- endif %}

/etc/nova/nova.conf:
  file.managed:
  - source: salt://nova/files/{{ controller.version }}/nova-controller.conf.{{ grains.os_family }}
  - template: jinja
  - require:
    - pkg: nova_controller_packages
    - sls: nova._ssl.mysql
    - sls: nova._ssl.rabbitmq
  - require_in:
    - sls: nova.db.offline_sync
    - sls: nova.db.online_sync

/etc/nova/api-paste.ini:
  file.managed:
  - source: salt://nova/files/{{ controller.version }}/api-paste.ini.{{ grains.os_family }}
  - template: jinja
  - require:
    - pkg: nova_controller_packages

{% for service_name in controller.services %}
{{ service_name }}_default:
  file.managed:
    - name: /etc/default/{{ service_name }}
    - source: salt://nova/files/default
    - template: jinja
    - require:
      - pkg: nova_controller_packages
    - defaults:
        service_name: {{ service_name }}
        values: {{ controller }}
    - require:
      - pkg: nova_controller_packages
    - watch_in:
      - service: nova_controller_services
{% endfor %}

{% if controller.logging.log_appender %}

{%- if controller.logging.log_handlers.get('fluentd').get('enabled', False) %}
nova_controller_fluentd_logger_package:
  pkg.installed:
    - name: python-fluent-logger
{%- endif %}

nova_general_logging_conf:
  file.managed:
    - name: /etc/nova/logging.conf
    - source: salt://oslo_templates/files/logging/_logging.conf
    - template: jinja
    - user: nova
    - group: nova
    - require_in:
      - sls: nova.db.offline_sync
    - require:
      - pkg: nova_controller_packages
{%- if controller.logging.log_handlers.get('fluentd').get('enabled', False) %}
      - pkg: nova_controller_fluentd_logger_package
{%- endif %}
    - defaults:
        service_name: nova
        _data: {{ controller.logging }}
    - watch_in:
      - service: nova_controller_services

/var/log/nova/nova.log:
  file.managed:
    - user: nova
    - group: nova
    - watch_in:
      - service: nova_controller_services
{%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}
      - service: nova_apache_restart
{%- endif %}

{% for service_name in controller.services %}

{{ service_name }}_logging_conf:
  file.managed:
    - name: /etc/nova/logging/logging-{{ service_name }}.conf
    - source: salt://oslo_templates/files/logging/_logging.conf
    - template: jinja
    - user: nova
    - group: nova
    - require:
      - pkg: nova_controller_packages
{%- if controller.logging.log_handlers.get('fluentd').get('enabled', False) %}
      - pkg: nova_controller_fluentd_logger_package
{%- endif %}
    - makedirs: True
    - defaults:
        service_name: {{ service_name }}
        _data: {{ controller.logging }}
    - watch_in:
      - service: nova_controller_services
{%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}
      - service: nova_apache_restart
{%- endif %}

{% endfor %}
{% endif %}

{%- if controller.version not in ['liberty', 'mitaka', 'newton'] %}
{# nova no longer ships with a default policy.json #}
{#- Since Queens release `policy.json` is changed to `policy.yaml`. But default option in `oslo_policy` is `policy.json` #}
/etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}:
  file.managed:
    - contents: '{}'
    - replace: False
    - user: nova
    - group: nova
    - require:
      - pkg: nova_controller_packages
{%- endif %}

{%- for name, rule in controller.get('policy', {}).iteritems() %}

{%- if rule != None %}
nova_keystone_rule_{{ name }}_present:
  keystone_policy.rule_present:
  - path: /etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
  - name: {{ name }}
  - rule: {{ rule }}
  - require:
    - pkg: nova_controller_packages
    {% if controller.version not in ['liberty', 'mitaka', 'newton'] %}
    - file: /etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
    {% endif%}

{%- else %}

nova_keystone_rule_{{ name }}_absent:
  keystone_policy.rule_absent:
  - path: /etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
  - name: {{ name }}
  - require:
    - pkg: nova_controller_packages
    {% if controller.version not in ['liberty', 'mitaka', 'newton'] %}
    - file: /etc/nova/{{ controller.get('oslo_policy', {}).get('policy_file', 'policy.json') }}
    {% endif%}

{%- endif %}

{%- endfor %}

{%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}
{%- if controller.get('update_cells') %}

nova_update_cell0:
  novang.update_cell:
  - name: "cell0"
  - db_name: {{ controller.database.name }}_cell0
  - db_engine: {{ controller.database.engine }}
  - db_password: {{ controller.database.password }}
  - db_user: {{ controller.database.user }}
  - db_address: {{ controller.database.host }}
  {%- if grains.get('noservices') %}
  - onlyif: /bin/false
  {%- endif %}

{%- set rabbit_port = controller.message_queue.get('port', 5671 if controller.message_queue.get('ssl',{}).get('enabled', False) else 5672) %}

nova_update_cell1:
  novang.update_cell:
  - name: "cell1"
  - db_name: {{ controller.database.name }}
{%- if controller.message_queue.members is defined %}
  - transport_url: rabbit://{% for member in controller.message_queue.members -%}
                             {{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ member.host }}:{{ member.get('port', rabbit_port) }}
                             {%- if not loop.last -%},{%- endif -%}
                         {%- endfor -%}
                             /{{ controller.message_queue.virtual_host }}
{%- else %}
  - transport_url: rabbit://{{ controller.message_queue.user }}:{{ controller.message_queue.password }}@{{ controller.message_queue.host }}:{{ rabbit_port}}/{{ controller.message_queue.virtual_host }}
{%- endif %}
  - db_engine: {{ controller.database.engine }}
  - db_password: {{ controller.database.password }}
  - db_user: {{ controller.database.user }}
  - db_address: {{ controller.database.host }}
  {%- if grains.get('noservices') %}
  - onlyif: /bin/false
  {%- endif %}

{%- endif %}

nova_placement_service_mask:
  file.symlink:
   - name: /etc/systemd/system/nova-placement-api.service
   - target: /dev/null

nova_placement_package:
  pkg.installed:
  - name: nova-placement-api
  - require:
    - file: nova_placement_service_mask

{#- Creation of sites using templates is deprecated, sites should be generated by apache pillar, and enabled by barbican formula #}
{%- if pillar.get('apache', {}).get('server', {}).get('site', {}).nova_placement is not defined %}

nova_placement_apache_conf_file:
  file.managed:
  - name: /etc/apache2/sites-available/nova-placement-api.conf
  - source: salt://nova/files/{{ controller.version }}/nova-placement-api.conf
  - template: jinja
  - require:
    - pkg: nova_controller_packages
    - pkg: nova_placement_package

placement_config:
  apache_site.enabled:
    - name: nova-placement-api
    - require:
      - nova_placement_apache_conf_file

{%- else %}

nova_cleanup_configs:
  file.absent:
    - names:
      - '/etc/apache2/sites-available/nova-placement-api.conf'
      - '/etc/apache2/sites-enabled/nova-placement-api.conf'

nova_placement_apache_conf_file:
  file.exists:
  - name: /etc/apache2/sites-available/wsgi_nova_placement.conf
  - require:
    - pkg: nova_placement_package
    - nova_cleanup_configs

placement_config:
  apache_site.enabled:
    - name: wsgi_nova_placement
    - require:
      - nova_placement_apache_conf_file

{%- endif %}

nova_controller_discover_hosts:
  cmd.run:
  - name: nova-manage cell_v2 discover_hosts --verbose --by-service
  {%- if grains.get('noservices') %}
  - onlyif: /bin/false
  {%- endif %}
  - runas: 'nova'
  - require:
    - sls: nova.db.offline_sync

nova_controller_map_instances:
  novav21.instances_mapped_to_cell:
  - name: 'cell1'
{%- if controller.get('mapped_instances_max_count') %}
  - max_count: {{ controller.get('mapped_instances_max_count') }}
{%- endif %}
  - timeout: {{ controller.get('mapped_instances_interval', 60) }}
  {%- if grains.get('noservices') %}
  - onlyif: /bin/false
  {%- endif %}
  - require:
    - cmd: nova_controller_discover_hosts
    - pkg: nova_controller_packages

{%- endif %}

{%- if controller.version not in ["juno", "kilo", "liberty", "mitaka", "newton"] %}

nova_apache_restart:
  service.running:
  - enable: true
  - name: apache2
  {%- if grains.get('noservices') %}
  - onlyif: /bin/false
  {%- endif %}
  - require:
    - sls: nova.db.offline_sync
    - sls: nova._ssl.mysql
  - watch:
    - file: /etc/nova/nova.conf
    - file: /etc/nova/api-paste.ini
    - nova_placement_apache_conf_file
    - placement_config

{%- endif %}
nova_controller_services:
  service.running:
  - enable: true
  - names: {{ controller.services }}
  {%- if grains.get('noservices') %}
  - onlyif: /bin/false
  {%- endif %}
  - require:
    - sls: nova.db.offline_sync
    - sls: nova._ssl.mysql
    - sls: nova._ssl.rabbitmq
  - require_in:
    - sls: nova.db.online_sync
  - watch:
    - file: /etc/nova/nova.conf
    - file: /etc/nova/api-paste.ini

{%- if grains.get('virtual_subtype', None) == "Docker" %}

nova_entrypoint:
  file.managed:
  - name: /entrypoint.sh
  - template: jinja
  - source: salt://nova/files/entrypoint.sh
  - mode: 755

{%- endif %}

{%- if controller.get('libvirt', {}).rng_dev_path is defined and controller.libvirt.rng_dev_path == '/dev/hwrng' %}
create_hwrng_udev_rule_controller:
  file.managed:
    - name: /etc/udev/rules.d/90-hwrng.rules
    - source: salt://nova/files/90-hwrng.rules
    - user: root
    - group: root
    - mode: 0644
    - onlyif: test -c /dev/hwrng

trigger_hwrng_udev_controller:
  cmd.run:
    - name: udevadm trigger /dev/hwrng
    - onchanges:
      - file: /etc/udev/rules.d/90-hwrng.rules

{%- endif %}


{%- endif %}