---
- name: Setup Local Development Secrets
  hosts: local
  gather_facts: yes
  become: no
  connection: local

  vars:
    vault_file: "{{ playbook_dir }}/../secrets/local.vault.yml"

  pre_tasks:
    - name: Get repository root path
      shell: |
        cd "{{ playbook_dir }}/../../.."
        pwd
      register: repo_root
      changed_when: false
      delegate_to: localhost
      become: no
    
    - name: Set repository root as fact
      set_fact:
        app_stack_path: "{{ repo_root.stdout }}"

    - name: Verify vault file exists
      stat:
        path: "{{ vault_file }}"
      register: vault_stat
      delegate_to: localhost
      become: no

    - name: Fail if vault file missing
      fail:
        msg: "Vault file not found at {{ vault_file }}. Please create it from local.vault.yml.example"
      when: not vault_stat.stat.exists

  tasks:
    - name: Load encrypted secrets
      include_vars:
        file: "{{ vault_file }}"
      no_log: yes

    - name: Ensure secrets directory exists for Docker Compose secrets
      file:
        path: "{{ app_stack_path }}/secrets"
        state: directory
        owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
        group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
        mode: '0700'

    - name: Create Docker Compose secret files from vault
      copy:
        content: "{{ item.value }}"
        dest: "{{ app_stack_path }}/secrets/{{ item.name }}.txt"
        owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
        group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
        mode: '0600'
      loop:
        - name: db_user_password
          value: "{{ vault_db_password }}"
        - name: redis_password
          value: "{{ vault_redis_password }}"
        - name: app_key
          value: "{{ vault_app_key }}"
        - name: vault_encryption_key
          value: "{{ vault_encryption_key | default(vault_app_key) }}"
      no_log: yes

    - name: Set secure permissions on secrets directory
      file:
        path: "{{ app_stack_path }}/secrets"
        state: directory
        owner: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
        group: "{{ ansible_user_id | default(ansible_env.USER | default('user')) }}"
        mode: '0700'
        recurse: yes

    - name: Display secrets setup summary
      debug:
        msg: "? Local secrets created in {{ app_stack_path }}/secrets/"