---
- hosts: localhost
  gather_facts: false
  vars:
    # Получаем preset из переменной окружения или используем default
    preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}"
    preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml"
    
    # перечисли файлы/глобы, которые нужно временно расшифровать
    vault_targets:
      - /workspace/vault/secrets.yml
      - /workspace/files/playbooks/group_vars/*/vault.yml
      - /workspace/files/playbooks/host_vars/*/vault.yml
      - /workspace/roles/**/vars/vault.yml

  tasks:
    - name: Load preset configuration
      include_vars: "{{ preset_file }}"
      when: preset_file is file
      ignore_errors: true

#    - name: Install collections
#      community.docker.docker_container_exec:
#        container: ansible-controller
#        command: bash -lc "ansible-galaxy collection install -r /workspace/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"

    - name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc '
          set -euo pipefail; shopt -s nullglob globstar;
          for p in {{ vault_targets | map('quote') | join(' ') }}; do
            for f in $p; do
              [ -f "$f" ] || continue;
              if head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;"; then
                echo "[vault] already encrypted: $f";
              else
                echo "[vault] plaintext -> encrypt: $f";
                ansible-vault encrypt --encrypt-vault-id default --vault-password-file /workspace/vault/.vault "$f";
              fi
              echo "[vault] decrypt for run: $f";
              ansible-vault decrypt --vault-password-file /workspace/vault/.vault "$f";
            done
          done
          '

    - name: Run lab playbook
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc "
            ANSIBLE_ROLES_PATH=/workspace/roles
            ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /workspace/molecule/default/site.yml
          "

    - name: Post-run — re-encrypt secrets
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc '
          set -euo pipefail; shopt -s nullglob globstar;
          for p in {{ vault_targets | map('quote') | join(' ') }}; do
            for f in $p; do
              [ -f "$f" ] || continue;
              if head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;"; then
                echo "[vault] ok (encrypted): $f";
              else
                echo "[vault] encrypt back: $f";
                ansible-vault encrypt --encrypt-vault-id default --vault-password-file /workspace/vault/.vault "$f" || true;
              fi
            done
          done
          '
      ignore_errors: true