---
# =============================================================================
# CONVERGE - Сборка и запуск тестовых сценариев
# =============================================================================
- hosts: localhost
  gather_facts: false
  vars:
    # Получаем preset из переменной окружения или используем default
    preset_name: "{{ lookup('env', 'MOLECULE_PRESET') | default('default') }}"
    preset_file: "/workspace/molecule/presets/{{ preset_name }}.yml"
    
    # перечисли файлы/глобы, которые нужно временно расшифровать
    vault_targets:
      - /workspace/vault/secrets.yml
      - /workspace/vault/secret.yml
      - /workspace/files/playbooks/group_vars/*/vault.yml
      - /workspace/files/playbooks/host_vars/*/vault.yml
      - /workspace/roles/**/vars/vault.yml

  tasks:
    # =============================================================================
    # НАСТРОЙКА - Загрузка конфигурации и подготовка
    # =============================================================================
    - name: Configuration setup
      debug:
        msg: |
          ================================================================================
          НАСТРОЙКА - Загрузка конфигурации и подготовка
          ================================================================================
          Preset: {{ preset_name }}
          ================================================================================

    - name: Load preset configuration
      include_vars: "{{ preset_file }}"
      when: preset_file is file
      ignore_errors: true

#    - name: Install collections
#      community.docker.docker_container_exec:
#        container: ansible-controller
#        command: bash -lc "ansible-galaxy collection install -r /workspace/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"

    # =============================================================================
    # VAULT - Работа с зашифрованными файлами
    # =============================================================================
    - name: Vault operations
      debug:
        msg: |
          ================================================================================
          VAULT - Работа с зашифрованными файлами
          ================================================================================
          Files: {{ vault_targets | length }} targets
          ================================================================================

    - name: Preflight vault — normalize state (encrypt if plaintext, then decrypt)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault decrypt --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
      ignore_errors: true

    # =============================================================================
    # PLAYBOOK - Запуск основного playbook
    # =============================================================================
    - name: Playbook execution
      debug:
        msg: |
          ================================================================================
          PLAYBOOK - Запуск основного playbook
          ================================================================================
          File: /workspace/molecule/default/site.yml
          ================================================================================

    - name: Run lab playbook
      community.docker.docker_container_exec:
        container: ansible-controller
        command: "bash -c 'ANSIBLE_ROLES_PATH=/workspace/roles; VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; VAULT_SECRETS_FILE=\"/workspace/vault/secrets.yml\"; INVENTORY_FILE=\"/tmp/molecule_workspace/inventory/hosts.ini\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"$VAULT_SECRETS_FILE\" ]; then ansible-playbook -i \"$INVENTORY_FILE\" /workspace/molecule/default/site.yml --vault-password-file \"$VAULT_PASSWORD_FILE\" -e \"vault_file_path=$VAULT_SECRETS_FILE\"; else ansible-playbook -i \"$INVENTORY_FILE\" /workspace/molecule/default/site.yml; fi'"

    # =============================================================================
    # CLEANUP - Перешифровка файлов после выполнения
    # =============================================================================
    - name: Cleanup operations
      debug:
        msg: |
          ================================================================================
          CLEANUP - Перешифровка файлов после выполнения
          ================================================================================
          Re-encrypting vault files
          ================================================================================

    - name: Post-run — re-encrypt secrets
      community.docker.docker_container_exec:
        container: ansible-controller
        command: "bash -c 'VAULT_PASSWORD_FILE=\"/workspace/vault/.vault\"; if [ -f \"$VAULT_PASSWORD_FILE\" ] && [ -f \"/workspace/vault/secrets.yml\" ]; then ansible-vault encrypt --encrypt-vault-id default --vault-password-file \"$VAULT_PASSWORD_FILE\" /workspace/vault/secrets.yml; fi'"
      ignore_errors: true