---
- name: include user tasks
  ansible.builtin.include_tasks: user.yml

- name: check if kubeseal is installed
  ansible.builtin.command: which kubeseal
  changed_when: false
  failed_when: kubeseal_installed.rc not in [0,1]
  register: kubeseal_installed

- name: download sealed_secrets binary
  ansible.builtin.unarchive:
    src: "{{ kubeseal_download_url }}"
    dest: "{{ kubeseal_path_bin }}"
    mode: "0755"
    owner: "{{ sealed_secrets_user }}"
    group: "{{ sealed_secrets_user_group }}"
    remote_src: true
    creates: "{{ kubeseal_path_bin }}/kubeseal"
  when: kubeseal_installed.rc not in [ 0 ]

- name: include import tasks
  ansible.builtin.include_tasks: import.yml
  # der ganze block nur auf enem host
  run_once: true
  when: ansible_host == flux_install_host