---
- name: Enroll TPM2 for LUKS
  block:
    - name: Create temporary passphrase file for TPM2 enrollment
      ansible.builtin.tempfile:
        path: /mnt/tmp
        prefix: luks-passphrase-
        state: file
      register: configuration_luks_tpm2_passphrase_tempfile

    - name: Write passphrase into temporary file for TPM2 enrollment
      ansible.builtin.copy:
        dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
        content: "{{ configuration_luks_passphrase_effective }}"
        owner: root
        group: root
        mode: "0600"
      no_log: true

    - name: Enroll TPM2 token
      vars:
        configuration_luks_enroll_args: >-
          {{
            [
              '/usr/bin/systemd-cryptenroll',
              '--tpm2-device=' + configuration_luks_tpm2_device,
              '--tpm2-with-pin=false',
              '--wipe-slot=tpm2',
              '--unlock-key-file=' + (
                configuration_luks_tpm2_passphrase_tempfile.path
                | regex_replace('^/mnt', '')
              )
            ]
            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
            + [configuration_luks_device]
          }}
        configuration_luks_enroll_chroot_cmd: >-
          {{ chroot_command }} /mnt {{ configuration_luks_enroll_args | join(' ') }}
      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
      register: configuration_luks_tpm2_enroll_chroot
      changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
      failed_when: false

    - name: Retry TPM2 enrollment in installer environment
      when:
        - (configuration_luks_tpm2_enroll_chroot.rc | default(1)) != 0
      vars:
        configuration_luks_enroll_args: >-
          {{
            [
              '/usr/bin/systemd-cryptenroll',
              '--tpm2-device=' + configuration_luks_tpm2_device,
              '--tpm2-with-pin=false',
              '--wipe-slot=tpm2',
              '--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
            ]
            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs_effective]
               if configuration_luks_tpm2_pcrs_effective | length > 0 else [])
            + [configuration_luks_device]
          }}
      ansible.builtin.command:
        argv: "{{ configuration_luks_enroll_args }}"
      register: configuration_luks_tpm2_enroll_host
      changed_when: configuration_luks_tpm2_enroll_host.rc == 0
      failed_when: false

    - name: Validate TPM2 enrollment succeeded
      ansible.builtin.assert:
        that:
          - >-
            (configuration_luks_tpm2_enroll_chroot.rc | default(1)) == 0
            or (configuration_luks_tpm2_enroll_host.rc | default(1)) == 0
        fail_msg: >-
          TPM2 enrollment failed.
          chroot rc={{ configuration_luks_tpm2_enroll_chroot.rc | default('n/a') }},
          host rc={{ configuration_luks_tpm2_enroll_host.rc | default('n/a') }},
          chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
          host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
  rescue:
    - name: Fallback to keyfile auto-decrypt
      ansible.builtin.set_fact:
        configuration_luks_auto_method: keyfile
  always:
    - name: Remove TPM2 enrollment passphrase file
      when: configuration_luks_tpm2_passphrase_tempfile.path is defined
      ansible.builtin.file:
        path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
        state: absent
      changed_when: false