# ═══════════════════════════════════════════════════════════════════════════════
# Hysteria2 Ansible — Makefile
# ═══════════════════════════════════════════════════════════════════════════════

SHELL := /bin/bash
.DEFAULT_GOAL := help

export EDITOR="nano"

ANSIBLE         ?= ansible-playbook
ANSIBLE_ADHOC   ?= ansible
INVENTORY       ?= inventory/hosts.yml
LIMIT           ?=
EXTRA_VARS      ?=
TAGS            ?=
ASK_PASS        ?=

# vault: .vault_pass или интерактивный ввод
VAULT_FILE      := .vault_pass
VAULT_ARGS      := $(if $(wildcard $(VAULT_FILE)),--vault-password-file $(VAULT_FILE),)

ANSIBLE_OPTS    := $(VAULT_ARGS) \
                   $(if $(LIMIT),--limit $(LIMIT),) \
                   $(if $(EXTRA_VARS),--extra-vars "$(EXTRA_VARS)",) \
                   $(if $(ASK_BECOME_PASS),--ask-become-pass,) \
                   $(if $(ASK_PASS),--ask-pass,)

CYAN   := \033[0;36m
GREEN  := \033[0;32m
YELLOW := \033[1;33m
BOLD   := \033[1m
NC     := \033[0m

.PHONY: help init check ping status \
        install update export uninstall \
        vault-init vault-encrypt vault-edit vault-view

help: ## Показать справку
	@echo ""
	@echo "$(BOLD)Hysteria2 Ansible$(NC)"
	@echo ""
	@grep -E '^[a-zA-Z0-9_-]+:.*##' $(MAKEFILE_LIST) | \
		awk 'BEGIN {FS = ":.*## "}; {printf "  $(CYAN)%-16s$(NC) %s\n", $$1, $$2}'
	@echo ""
	@echo "  $(YELLOW)Примеры:$(NC)"
	@echo "    make init"
	@echo "    make vault-init && make vault-encrypt"
	@echo "    make install"
	@echo "    make install LIMIT=vps-de"
	@echo "    make update LIMIT=vps-nl"
	@echo "    make uninstall LIMIT=vps-de"
	@echo ""

init: ## Создать inventory, group_vars и .vault_pass из примеров
	@test -f inventory/hosts.yml || cp inventory/hosts.yml.example inventory/hosts.yml
	@test -f group_vars/all.yml || cp group_vars/all.yml.example group_vars/all.yml
	@test -f group_vars/hysteria2_servers/vars.yml || cp group_vars/hysteria2_servers/vars.yml.example group_vars/hysteria2_servers/vars.yml
	@test -f group_vars/hysteria2_servers/vault.yml || cp group_vars/hysteria2_servers/vault.yml.example group_vars/hysteria2_servers/vault.yml
	@test -f .vault_pass || (openssl rand -base64 32 > .vault_pass && chmod 600 .vault_pass)
	@grep -q 'vault_password_file' ansible.cfg || \
		(echo "" >> ansible.cfg && echo "vault_password_file = .vault_pass" >> ansible.cfg)
	@echo "$(GREEN)Готово. Отредактируйте:$(NC)"
	@echo "  inventory/hosts.yml"
	@echo "  group_vars/all.yml"
	@echo "  group_vars/hysteria2_servers/vault.yml  → затем: make vault-encrypt"

check: ## Проверить синтаксис playbook
	$(ANSIBLE) playbook.yml --syntax-check $(VAULT_ARGS)
	$(ANSIBLE) playbook-uninstall.yml --syntax-check $(VAULT_ARGS)

ping: ## Проверить SSH-доступ ко всем VPS
	$(ANSIBLE_ADHOC) hysteria2_servers -m ping $(ANSIBLE_OPTS)

status: ## Статус hysteria-server на VPS
	$(ANSIBLE_ADHOC) hysteria2_servers -m shell \
		-a "systemctl status hysteria-server --no-pager || systemctl status hysteria2 --no-pager" \
		-b $(VAULT_ARGS) $(if $(LIMIT),--limit $(LIMIT),)

install: check ## Установить Hysteria2 на VPS (+ URL и QR локально)
	$(ANSIBLE) playbook.yml --tags install $(ANSIBLE_OPTS)

update: check ## Обновить бинарник, перекатить конфиг, перевыпустить URL/QR
	$(ANSIBLE) playbook.yml --tags update --extra-vars "hysteria2_wait_for_acme=false hysteria2_upgrade_system=false" $(ANSIBLE_OPTS)

export: check ## Только перевыпустить URL и QR (без изменений на сервере)
	$(ANSIBLE) playbook.yml --tags export $(ANSIBLE_OPTS)

uninstall: ## Полностью удалить Hysteria2 с VPS (только uninstall, без install/update)
	@echo "$(YELLOW)Будет выполнено удаление Hysteria2$(NC) $(if $(LIMIT),на $(LIMIT),на всех серверах)"
	@read -p "Продолжить? [y/N] " c; [[ "$$c" =~ ^[Yy]$$ ]] || exit 1
	$(ANSIBLE) playbook-uninstall.yml --tags uninstall $(ANSIBLE_OPTS)

vault-init: ## Создать .vault_pass и включить vault_password_file в ansible.cfg
	@test -f .vault_pass || (openssl rand -base64 32 > .vault_pass && chmod 600 .vault_pass)
	@if ! grep -q '^vault_password_file' ansible.cfg; then \
		sed -i.bak 's/# vault_password_file/vault_password_file/' ansible.cfg; \
		rm -f ansible.cfg.bak; \
	fi
	@echo "$(GREEN).vault_pass готов$(NC)"

vault-encrypt: vault-init ## Зашифровать group_vars/hysteria2_servers/vault.yml
	@if [ ! -f group_vars/hysteria2_servers/vault.yml ]; then \
		echo "$(YELLOW)Сначала: make init$(NC)"; exit 1; \
	fi
	@if grep -q 'ANSIBLE_VAULT' group_vars/hysteria2_servers/vault.yml 2>/dev/null; then \
		echo "vault.yml уже зашифрован"; \
	else \
		ansible-vault encrypt group_vars/hysteria2_servers/vault.yml --vault-password-file $(VAULT_FILE); \
	fi

vault-edit: vault-init ## Редактировать зашифрованный vault
	ansible-vault edit group_vars/hysteria2_servers/vault.yml --vault-password-file $(VAULT_FILE)

vault-view: vault-init ## Показать содержимое vault (расшифровка)
	ansible-vault view group_vars/hysteria2_servers/vault.yml --vault-password-file $(VAULT_FILE)
