---
- name: Setup Production Secrets
  hosts: production
  gather_facts: yes
  become: yes

  vars:
    vault_file: "{{ playbook_dir }}/../secrets/production.vault.yml"

  pre_tasks:
    - name: Verify vault file exists
      stat:
        path: "{{ vault_file }}"
      register: vault_stat
      delegate_to: localhost
      become: no

    - name: Fail if vault file missing
      fail:
        msg: "Vault file not found at {{ vault_file }}"
      when: not vault_stat.stat.exists

  tasks:
    - name: Detect Docker Swarm mode
      shell: docker info -f '{{ "{{" }}.Swarm.LocalNodeState{{ "}}" }}'
      register: swarm_state
      changed_when: false

    - name: Set fact if swarm is active
      set_fact:
        swarm_active: "{{ swarm_state.stdout | lower == 'active' }}"

    - name: Load encrypted secrets
      include_vars:
        file: "{{ vault_file }}"
      no_log: yes

    - name: Ensure secrets directory exists
      file:
        path: "{{ secrets_path }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: '0700'

    - name: Create .env.production file
      template:
        src: "{{ playbook_dir }}/../templates/.env.production.j2"
        dest: "{{ secrets_path }}/.env.production"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: '0600'
      no_log: yes

    - name: Create Docker secrets from vault (disabled for compose-only deployment)
      docker_secret:
        name: "{{ item.name }}"
        data: "{{ item.value }}"
        state: present
      loop:
        - name: db_password
          value: "{{ vault_db_password }}"
        - name: redis_password
          value: "{{ vault_redis_password }}"
        - name: app_key
          value: "{{ vault_app_key }}"
        - name: jwt_secret
          value: "{{ vault_jwt_secret }}"
        - name: mail_password
          value: "{{ vault_mail_password }}"
      no_log: yes
      when: false

    - name: Set secure permissions on secrets directory
      file:
        path: "{{ secrets_path }}"
        state: directory
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"
        mode: '0700'
        recurse: yes

    - name: Verify Docker secrets (skipped)
      command: docker secret ls --format '{{ "{{" }}.Name{{ "}}" }}'
      register: docker_secrets
      changed_when: false
      when: false

    - name: Display deployed Docker secrets (skipped)
      debug:
        msg: "Deployed secrets: {{ docker_secrets.stdout_lines | default([]) }}"
      when: false