---
- name: Refresh apt cache on Debian-based systems
  ansible.builtin.apt:
    update_cache: yes
    cache_valid_time: "{{ system_apt_cache_valid_time }}"
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_update_packages | bool

- name: Upgrade packages on Debian-based systems
  ansible.builtin.apt:
    upgrade: "{{ system_apt_upgrade }}"
    autoremove: yes
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_update_packages | bool

- name: Upgrade packages on RedHat-based systems
  ansible.builtin.yum:
    name: '*'
    state: latest
  become: yes
  when:
    - ansible_os_family == 'RedHat'
    - system_update_packages | bool

- name: Warn about unsupported package manager
  ansible.builtin.debug:
    msg: "System package updates are not implemented for {{ ansible_os_family }}"
  changed_when: false
  when:
    - system_update_packages | bool
    - ansible_os_family not in ['Debian', 'RedHat']

- name: Install unattended-upgrades packages
  ansible.builtin.package:
    name:
      - unattended-upgrades
      - apt-listchanges
    state: present
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_enable_unattended_upgrades | bool

- name: Configure unattended upgrades periodic execution
  ansible.builtin.copy:
    dest: /etc/apt/apt.conf.d/20auto-upgrades
    owner: root
    group: root
    mode: '0644'
    content: |
      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::Unattended-Upgrade "1";
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_enable_unattended_upgrades | bool

- name: Configure unattended upgrade reboot preference
  ansible.builtin.lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^//?\s*Unattended-Upgrade::Automatic-Reboot\s+'
    line: 'Unattended-Upgrade::Automatic-Reboot "{{ system_enable_unattended_reboot | ternary("true", "false") }}";'
    owner: root
    group: root
    mode: '0644'
    create: yes
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_enable_unattended_upgrades | bool

- name: Configure unattended upgrade reboot time
  ansible.builtin.lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^//?\s*Unattended-Upgrade::Automatic-Reboot-Time\s+'
    line: 'Unattended-Upgrade::Automatic-Reboot-Time "{{ system_unattended_reboot_time }}";'
    owner: root
    group: root
    mode: '0644'
    create: yes
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_enable_unattended_upgrades | bool
    - system_enable_unattended_reboot | bool

- name: Disable unattended reboot time when automatic reboot is off
  ansible.builtin.lineinfile:
    path: /etc/apt/apt.conf.d/50unattended-upgrades
    regexp: '^Unattended-Upgrade::Automatic-Reboot-Time\s+'
    state: absent
    owner: root
    group: root
    mode: '0644'
  become: yes
  when:
    - ansible_os_family == 'Debian'
    - system_enable_unattended_upgrades | bool
    - not system_enable_unattended_reboot | bool

- name: Ensure unattended upgrade timers are enabled
  ansible.builtin.systemd:
    name: "{{ item }}"
    enabled: true
    state: started
  become: yes
  loop:
    - apt-daily.timer
    - apt-daily-upgrade.timer
    - unattended-upgrades.service
  when:
    - ansible_os_family == 'Debian'
    - system_enable_unattended_upgrades | bool
    - system_enable_unattended_timer | bool

- name: Prune unused Docker data
  community.docker.docker_prune:
    containers: true
    images: true
    networks: true
    volumes: false
    builder_cache: true
  become: yes
  when: system_enable_docker_prune | bool