---
- name: Ensure Registry auth directory exists
  file:
    path: "{{ registry_auth_path }}"
    state: directory
    mode: '0755'
  become: yes

- name: Check if registry vault file exists
  stat:
    path: "{{ registry_vault_file }}"
  delegate_to: localhost
  register: registry_vault_stat
  become: no

- name: Optionally load registry credentials from vault
  include_vars:
    file: "{{ registry_vault_file }}"
  when: registry_vault_stat.stat.exists
  no_log: yes
  delegate_to: localhost
  become: no
  register: registry_vault_vars
  failed_when: false

- name: Fail if registry vault decryption failed
  fail:
    msg: >
      Failed to decrypt {{ registry_vault_file }}.
      Provide a valid vault password (e.g. via --vault-password-file) or update docker_registry_password_default.
  when:
    - not ansible_check_mode
    - registry_vault_stat.stat.exists
    - registry_vault_vars is defined
    - registry_vault_vars.failed | default(false)

- name: Set registry credentials from vault or defaults or generate
  set_fact:
    registry_username: "{{ vault_docker_registry_username | default(docker_registry_username_default) }}"
    registry_password: >-
      {{
        vault_docker_registry_password
        | default(docker_registry_password_default)
        | default(lookup('password', '/dev/null length=32 chars=ascii_letters,digits'))
      }}
  no_log: true

- name: Generate REGISTRY_HTTP_SECRET if not set
  set_fact:
    registry_http_secret: "{{ lookup('password', '/dev/null length=64 chars=hexdigits') }}"
  no_log: true

- name: Check if Registry .env file exists
  ansible.builtin.stat:
    path: "{{ registry_stack_path }}/.env"
  register: registry_env_file

- name: Read existing REGISTRY_HTTP_SECRET from .env if exists
  ansible.builtin.shell: |
    grep '^REGISTRY_HTTP_SECRET=' "{{ registry_stack_path }}/.env" 2>/dev/null | cut -d'=' -f2- || echo ''
  register: existing_registry_secret
  changed_when: false
  failed_when: false
  when: registry_env_file.stat.exists
  no_log: true

- name: Use existing REGISTRY_HTTP_SECRET if available
  set_fact:
    registry_http_secret: "{{ existing_registry_secret.stdout | default(registry_http_secret) }}"
  when: 
    - registry_env_file.stat.exists
    - existing_registry_secret.stdout | default('') | string | trim != ''
  no_log: true

- name: Create or update Registry .env file
  ansible.builtin.lineinfile:
    path: "{{ registry_stack_path }}/.env"
    regexp: '^REGISTRY_HTTP_SECRET='
    line: "REGISTRY_HTTP_SECRET={{ registry_http_secret }}"
    create: yes
    mode: '0600'
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
  no_log: true

- name: Create Registry htpasswd file if missing
  shell: |
    docker run --rm --entrypoint htpasswd httpd:2 -Bbn {{ registry_username }} {{ registry_password }} > {{ registry_auth_path }}/htpasswd
    chmod 644 {{ registry_auth_path }}/htpasswd
  args:
    executable: /bin/bash
    creates: "{{ registry_auth_path }}/htpasswd"
  become: yes
  no_log: true
  when: not ansible_check_mode

- name: Deploy Docker Registry stack
  community.docker.docker_compose_v2:
    project_src: "{{ registry_stack_path }}"
    state: present
    pull: always
  register: registry_compose_result

- name: Wait for Docker Registry to be ready
  wait_for:
    timeout: "{{ registry_wait_timeout }}"
  when: registry_compose_result.changed

- name: Check Registry container status
  shell: |
    docker compose -f {{ registry_stack_path }}/docker-compose.yml ps registry | grep -Eiq "Up|running"
  register: registry_state
  changed_when: false
  until: registry_state.rc == 0
  retries: "{{ ((registry_wait_timeout | int) + (registry_wait_interval | int) - 1) // (registry_wait_interval | int) }}"
  delay: "{{ registry_wait_interval | int }}"
  failed_when: registry_state.rc != 0
  when: not ansible_check_mode

- name: Check Registry logs for readiness
  shell: docker compose logs registry 2>&1 | grep -Ei "(listening on|listening at|http server)" || true
  args:
    chdir: "{{ registry_stack_path }}"
  register: registry_logs
  until: registry_logs.stdout != ""
  retries: 6
  delay: 10
  changed_when: false
  failed_when: false
  when: not ansible_check_mode

- name: Verify Registry is accessible
  uri:
    url: "{{ registry_healthcheck_url }}"
    user: "{{ registry_username }}"
    password: "{{ registry_password }}"
    status_code: 200
    timeout: 5
    validate_certs: "{{ registry_healthcheck_validate_certs | bool }}"
  register: registry_check
  ignore_errors: yes
  changed_when: false
  no_log: true
  when:
    - not ansible_check_mode
    - registry_healthcheck_enabled | bool

- name: Display Registry status
  debug:
    msg: "Registry accessibility: {{ 'SUCCESS' if registry_check.status == 200 else 'FAILED - may need manual check' }}"
  when:
    - not ansible_check_mode
    - registry_healthcheck_enabled | bool

- name: Record registry deployment facts
  set_fact:
    registry_stack_changed: "{{ registry_compose_result.changed | default(false) }}"
    registry_access_status: "{{ registry_check.status | default('disabled' if not registry_healthcheck_enabled else 'unknown') }}"