---
- hosts: localhost
  gather_facts: false
  vars:
    # перечисли файлы/глобы, которые нужно временно расшифровать
    vault_targets:
      - /ansible/vault/secrets.yml
      # добавляй сюда свои пути (host_vars/*/vault.yml, group_vars/*/vault.yml, и т.п.)

  tasks:
    - name: Install collections
      community.docker.docker_container_exec:
        container: ansible-controller
        command: bash -lc "ansible-galaxy collection install -r /ansible/requirements.yml --force --no-deps --upgrade >/dev/null 2>&1 || true"

    - name: Decrypt vault targets (best-effort)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc '
          set -euo pipefail;
          for p in {{ vault_targets | map('quote') | join(' ') }}; do
            if [ -e "$p" ]; then
              echo "[vault] decrypt $p";
              ansible-vault decrypt --vault-password-file /ansible/vault-password.txt "$p" || true;
            fi
          done
          '

    - name: Run external playbook (your lab play)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc "
            ANSIBLE_ROLES_PATH=/ansible/roles
            ansible-playbook -i {{ lookup('env','MOLECULE_EPHEMERAL_DIRECTORY') }}/inventory/hosts.ini /ansible/molecule/default/site.yml
          "

    - name: Re-encrypt vault targets (always)
      community.docker.docker_container_exec:
        container: ansible-controller
        command: >
          bash -lc '
          set -euo pipefail;
          for p in {{ vault_targets | map('quote') | join(' ') }}; do
            if [ -e "$p" ]; then
              echo "[vault] encrypt $p";
              ansible-vault encrypt --encrypt-vault-id default --vault-password-file /ansible/vault-password.txt "$p" || true;
            fi
          done
          '
      ignore_errors: true