---
- name: Create download directory
  file:
    dest: "{{ openwrt_download_dir }}"
    state: directory

- block:
    - name: Generate OpenWrt download URLs
      set_fact:
        openwrt_url:
          https://downloads.openwrt.org/releases/{{ openwrt_release }}/targets/{{ openwrt_arch | mandatory }}/{{ openwrt_target }}

    - name: Download sha256sums
      get_url:
        url: "{{ openwrt_url }}/sha256sums"
        dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"

    - name: Download sha256sums.asc
      get_url:
        url: "{{ openwrt_url }}/sha256sums.asc"
        dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"

    - name: Check OpenPGP signature
      command: >-
        gpg2 --no-options --no-default-keyring --secret-keyring /dev/null
             --verify --keyring "{{ role_path }}/openwrt-keyring.gpg"
             --trust-model always
             "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
      changed_when: False

    - name: Extract SHA256 hash of the imagebuilder archive
      command: grep '{{ openwrt_tarball_name }}' "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
      register: sha256
      changed_when: False

    - name: Download imagebuilder
      get_url:
        url: "{{ openwrt_url }}/{{ openwrt_tarball_name }}"
        dest: "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}"
        checksum: sha256:{{ sha256.stdout.split(' ') | first }}

  rescue:
    - name: Delete downloaded artifacts
      file:
        path: "{{ item }}"
        state: absent
      with_items:
        - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256"
        - "{{ openwrt_download_dir }}/{{ openwrt_tarball_basename }}.sha256.asc"
        - "{{ openwrt_download_dir }}/{{ openwrt_tarball_name }}"
    - fail:
        msg: Something borked