---
- name: Ensure application stack destination directory exists
  file:
    path: "{{ application_stack_dest }}"
    state: directory
    mode: '0755'

- name: Check if vault file exists locally
  stat:
    path: "{{ application_vault_file }}"
  delegate_to: localhost
  register: application_vault_stat
  become: no

- name: Optionally load application secrets from vault
  include_vars:
    file: "{{ application_vault_file }}"
  when: application_vault_stat.stat.exists
  no_log: yes
  ignore_errors: yes
  delegate_to: localhost
  become: no

- name: Check if PostgreSQL .env exists on target host
  stat:
    path: "{{ stacks_base_path }}/postgresql/.env"
  register: application_postgres_env_file
  changed_when: false

- name: Extract PostgreSQL password from .env file
  shell: "grep '^POSTGRES_PASSWORD=' {{ stacks_base_path }}/postgresql/.env 2>/dev/null | cut -d'=' -f2- || echo ''"
  register: application_postgres_password
  changed_when: false
  failed_when: false
  when: application_postgres_env_file.stat.exists
  no_log: yes

- name: Determine application database password
  set_fact:
    application_db_password: >-
      {{ (application_postgres_env_file.stat.exists and application_postgres_password.stdout != '') |
         ternary(application_postgres_password.stdout,
                 vault_db_root_password | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits,punctuation'))) }}
  no_log: yes

- name: Determine application redis password
  set_fact:
    application_redis_password: "{{ redis_password | default(vault_redis_password | default('')) }}"
  no_log: yes

- name: Ensure redis password provided via vault
  fail:
    msg: >-
      Redis credentials are missing. Define vault_redis_password in
      {{ application_vault_file }} (encrypted with ansible-vault) or pass
      redis_password via extra vars.
  when: (application_redis_password | string | trim) == ''

- name: Determine application app key
  set_fact:
    application_app_key: "{{ app_key | default(vault_app_key | default('')) }}"
  no_log: yes

- name: Ensure application app key provided via vault
  fail:
    msg: >-
      Application key missing. Define vault_app_key in
      {{ application_vault_file }} (ansible-vault) or pass app_key via extra vars.
  when: (application_app_key | string | trim) == ''

- name: Determine encryption key (optional)
  set_fact:
    application_encryption_key: "{{ encryption_key | default(vault_encryption_key | default('')) }}"
  no_log: yes

- name: Check if application docker-compose.base.yml source exists locally
  stat:
    path: "{{ application_stack_src }}/docker-compose.base.yml"
  delegate_to: localhost
  register: application_compose_base_src
  become: no

- name: Check if application docker-compose.production.yml source exists locally
  stat:
    path: "{{ application_stack_src }}/../../../docker-compose.production.yml"
  delegate_to: localhost
  register: application_compose_prod_src
  become: no

- name: Copy application docker-compose.base.yml to target host
  copy:
    src: "{{ application_stack_src }}/docker-compose.base.yml"
    dest: "{{ application_stack_dest }}/docker-compose.base.yml"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0644'
  when: application_compose_base_src.stat.exists

- name: Copy application docker-compose.production.yml to target host
  copy:
    src: "{{ application_stack_src }}/../../../docker-compose.production.yml"
    dest: "{{ application_stack_dest }}/docker-compose.production.yml"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0644'
  when: application_compose_prod_src.stat.exists

- name: Check if legacy docker-compose.yml exists (fallback)
  stat:
    path: "{{ application_stack_src }}/docker-compose.yml"
  delegate_to: localhost
  register: application_compose_src
  become: no
  when: not (application_compose_base_src.stat.exists | default(false))

- name: Copy application docker-compose.yml to target host (fallback for legacy)
  copy:
    src: "{{ application_stack_src }}/docker-compose.yml"
    dest: "{{ application_stack_dest }}/docker-compose.yml"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0644'
  when:
    - application_compose_src is defined
    - application_compose_src.stat.exists | default(false)
    - not (application_compose_base_src.stat.exists | default(false))

- name: Check if nginx configuration exists locally
  stat:
    path: "{{ application_stack_src }}/nginx"
  delegate_to: localhost
  register: application_nginx_src
  become: no

- name: Synchronize nginx configuration
  copy:
    src: "{{ application_stack_src }}/nginx/"
    dest: "{{ application_stack_dest }}/nginx/"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0644'
  when: application_nginx_src.stat.exists

- name: Expose secrets for template rendering
  set_fact:
    db_password: "{{ application_db_password }}"
    redis_password: "{{ application_redis_password }}"
    app_key: "{{ application_app_key }}"
    encryption_key: "{{ application_encryption_key }}"
    db_username: "{{ db_user | default(db_user_default) }}"
    db_name: "{{ db_name | default(db_name_default) }}"
  no_log: yes

- name: Render application environment file
  template:
    src: "{{ application_env_template }}"
    dest: "{{ application_stack_dest }}/.env"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0600'