---
# Запуск ролей в универсальной лаборатории
# Автор: Сергей Антропов
# Сайт: https://devops.org.ru

- hosts: localhost
  gather_facts: false
  vars:
    # Перечисли файлы/глобы с секретами (можно добавлять свои пути)
    vault_targets:
      - /ansible/vault/secrets.yml
      - /ansible/files/playbooks/group_vars/*/vault.yml
      - /ansible/files/playbooks/host_vars/*/vault.yml
      - /ansible/roles/**/vars/vault.yml

  pre_tasks:
    - name: Load lab preset (vars)
      include_vars:
        file: "{{ lab_spec }}"

  tasks:
    - name: Install collections in controller
      community.docker.docker_container_exec:
        container: ansible-controller
        command: bash -lc "ansible-galaxy collection install -r /ansible/files/requirements.yml || true"

    # --- Preflight Vault: если файл уже открыт, шифруем и снова расшифровываем ---
    - name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc '
          set -euo pipefail;
          shopt -s nullglob globstar;
          for p in {{ vault_targets | map('quote') | join(' ') }}; do
            for f in $p; do
              if [ ! -f "$f" ]; then continue; fi
              head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;" && enc=1 || enc=0
              if [ "$enc" -eq 0 ]; then
                echo "[vault] plaintext -> encrypt: $f";
                ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault/.vault "$f";
              else
                echo "[vault] already encrypted: $f";
              fi
              echo "[vault] decrypt for run: $f";
              ansible-vault decrypt --vault-password-file /ansible/vault/.vault "$f";
            done
          done
          '

    - name: Run external playbook (your roles live in /ansible/roles)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc "
            ANSIBLE_ROLES_PATH=/ansible/roles
            ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.yml /ansible/files/playbooks/site.yml
          "

    # --- Пост-этап: всегда шифруем обратно ---
    - name: Post-run vault — re-encrypt everything
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc '
          set -euo pipefail;
          shopt -s nullglob globstar;
          for p in {{ vault_targets | map('quote') | join(' ') }}; do
            for f in $p; do
              if [ ! -f "$f" ]; then continue; fi
              head -n1 "$f" | grep -q "^\$ANSIBLE_VAULT;" && enc=1 || enc=0
              if [ "$enc" -eq 0 ]; then
                echo "[vault] encrypt back: $f";
                ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault/.vault "$f" || true;
              fi
            done
          done
          '
      ignore_errors: true