---
# Ansible Playbook: Setup Production Secrets
# Purpose: Deploy Docker Secrets and environment configuration to production
# Usage: ansible-playbook -i inventory/production.yml playbooks/setup-production-secrets.yml --ask-vault-pass

- name: Setup Production Secrets and Environment
  hosts: production_server
  become: no
  vars_files:
    - ../secrets/production-vault.yml  # Encrypted with ansible-vault

  tasks:
    - name: Ensure secrets directory exists
      file:
        path: /home/deploy/secrets
        state: directory
        mode: '0700'
        owner: deploy
        group: deploy

    - name: Deploy environment file from vault
      template:
        src: ../templates/production.env.j2
        dest: /home/deploy/secrets/.env.production
        mode: '0600'
        owner: deploy
        group: deploy
      notify: Restart services

    - name: Create Docker secrets (if swarm is initialized)
      docker_secret:
        name: "{{ item.name }}"
        data: "{{ item.value }}"
        state: present
      loop:
        - { name: "db_password", value: "{{ vault_db_password }}" }
        - { name: "redis_password", value: "{{ vault_redis_password }}" }
        - { name: "app_key", value: "{{ vault_app_key }}" }
        - { name: "jwt_secret", value: "{{ vault_jwt_secret }}" }
        - { name: "registry_password", value: "{{ vault_registry_password }}" }
      no_log: true  # Don't log secrets

    - name: Verify secrets are accessible
      shell: docker secret ls
      register: secret_list
      changed_when: false

    - name: Display deployed secrets (names only)
      debug:
        msg: "Deployed secrets: {{ secret_list.stdout_lines }}"

  handlers:
    - name: Restart services
      shell: |
        docker service update --force framework_web
        docker service update --force framework_queue-worker
      when: ansible_check_mode is not defined