---
- name: Check if monitoring vault file exists
  stat:
    path: "{{ monitoring_vault_file }}"
  delegate_to: localhost
  register: monitoring_vault_stat
  become: no
  tags:
    - monitoring

- name: Optionally load monitoring secrets from vault
  include_vars:
    file: "{{ monitoring_vault_file }}"
  when: monitoring_vault_stat.stat.exists
  no_log: yes
  delegate_to: localhost
  become: no
  ignore_errors: yes
  tags:
    - monitoring

- name: Set Grafana admin password from vault or generate
  set_fact:
    grafana_admin_password: "{{ vault_grafana_admin_password | default(lookup('password', '/dev/null length=25 chars=ascii_letters,digits')) }}"
  no_log: yes
  tags:
    - monitoring

- name: Set Prometheus password from vault or generate
  set_fact:
    prometheus_password: "{{ vault_prometheus_password | default(lookup('password', '/dev/null length=25 chars=ascii_letters,digits')) }}"
  no_log: yes
  tags:
    - monitoring

- name: Generate Prometheus BasicAuth hash
  shell: |
    docker run --rm httpd:alpine htpasswd -nbB admin "{{ prometheus_password }}" 2>/dev/null | cut -d ":" -f 2
  register: prometheus_auth_hash
  changed_when: false
  no_log: yes
  tags:
    - monitoring

- name: Set Prometheus BasicAuth string
  set_fact:
    prometheus_auth: "admin:{{ prometheus_auth_hash.stdout }}"
  no_log: yes
  tags:
    - monitoring

- name: Build VPN IP whitelist with endpoints
  set_fact:
    monitoring_vpn_ip_whitelist_ranges: "{{ [wireguard_network_default | default('10.8.0.0/24')] }}"
  tags:
    - monitoring

- name: Set VPN IP whitelist for monitoring
  set_fact:
    monitoring_vpn_ip_whitelist: "{{ monitoring_vpn_ip_whitelist_ranges | join(',') }}"
  tags:
    - monitoring

- name: Set Traefik stack path
  set_fact:
    traefik_stack_path: "{{ stacks_base_path }}/traefik"
  tags:
    - monitoring

- name: Update Traefik middleware with dynamic VPN IPs
  template:
    src: "{{ role_path }}/../../templates/traefik-middlewares.yml.j2"
    dest: "{{ traefik_stack_path }}/dynamic/middlewares.yml"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0644'
  vars:
    vpn_network: "{{ wireguard_network_default | default('10.8.0.0/24') }}"
  tags:
    - monitoring

- name: Ensure monitoring stack directory exists
  file:
    path: "{{ monitoring_stack_path }}"
    state: directory
    mode: '0755'
  tags:
    - monitoring

- name: Create monitoring stack .env file
  template:
    src: "{{ monitoring_env_template }}"
    dest: "{{ monitoring_stack_path }}/.env"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: '0600'
  no_log: yes
  tags:
    - monitoring

- name: Deploy Monitoring stack
  community.docker.docker_compose_v2:
    project_src: "{{ monitoring_stack_path }}"
    state: present
    pull: always
  register: monitoring_compose_result
  tags:
    - monitoring

- name: Wait for Monitoring to be ready
  wait_for:
    timeout: "{{ monitoring_wait_timeout }}"
  when: monitoring_compose_result.changed
  tags:
    - monitoring

- name: Record monitoring deployment facts
  set_fact:
    monitoring_stack_changed: "{{ monitoring_compose_result.changed | default(false) }}"
  tags:
    - monitoring