---

# TODO - ensure `additional_db` contains all keys that we expect

# The SQL statements that we'll run against Postgres are stored in a file that others can't read.
# This file will be mounted into the container and fed to Postgres.
# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see.
- name: Create additional database initialization SQL file for {{ additional_db.name }}
  template:
    src: "{{ role_path }}/templates/init-additional-db-user-and-role.sql.j2"
    dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql"
    mode: 0600
    owner: "{{ matrix_user_uid }}"
    group: "{{ matrix_user_gid }}"

- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }}
  command:
    cmd: >-
      {{ matrix_host_command_docker }} run
      --rm
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
      --network {{ matrix_docker_network }}
      --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro
      --entrypoint=/bin/sh
      {{ matrix_postgres_docker_image_to_use }}
      -c
      'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql'

- name: Delete additional database initialization SQL file for {{ additional_db.name }}
  file:
    path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql
    state: absent