---
# Ansible Playbook for Zastava Agent VM/Bare-Metal Deployment
#
# Requirements:
# - Target hosts must have Docker installed and running
# - Ansible 2.10+ with community.docker collection
#
# Usage:
#   ansible-playbook -i inventory.yml zastava-agent.yml \
#     -e zastava_tenant=my-tenant \
#     -e scanner_backend_url=https://scanner.internal
#
# Variables (can be set in inventory or via -e):
#   zastava_tenant: Tenant identifier (required)
#   scanner_backend_url: Scanner backend URL (required)
#   zastava_version: Version to deploy (default: latest)
#   zastava_node_name: Override node name (default: hostname)
#   zastava_health_port: Health check port (default: 8080)
#   docker_socket: Docker socket path (default: /var/run/docker.sock)

- name: Deploy StellaOps Zastava Agent
  hosts: zastava_agents
  become: true

  vars:
    zastava_version: "{{ zastava_version | default('latest') }}"
    zastava_install_dir: /opt/stellaops/zastava-agent
    zastava_config_dir: /etc/stellaops
    zastava_data_dir: /var/lib/zastava-agent
    zastava_user: zastava-agent
    zastava_group: docker
    zastava_health_port: "{{ zastava_health_port | default(8080) }}"
    docker_socket: "{{ docker_socket | default('/var/run/docker.sock') }}"
    download_base_url: "{{ download_base_url | default('https://releases.stellaops.org') }}"

  pre_tasks:
    - name: Validate required variables
      ansible.builtin.assert:
        that:
          - zastava_tenant is defined and zastava_tenant | length > 0
          - scanner_backend_url is defined and scanner_backend_url | length > 0
        fail_msg: |
          Required variables not set.
          Please provide:
            - zastava_tenant: Your tenant identifier
            - scanner_backend_url: Scanner backend URL

    - name: Check Docker service is running
      ansible.builtin.systemd:
        name: docker
        state: started
      check_mode: true
      register: docker_status

    - name: Fail if Docker is not available
      ansible.builtin.fail:
        msg: "Docker service is not running on {{ inventory_hostname }}"
      when: docker_status.status.ActiveState != 'active'

  tasks:
    # =========================================================================
    # User and Directory Setup
    # =========================================================================

    - name: Create zastava-agent system user
      ansible.builtin.user:
        name: "{{ zastava_user }}"
        comment: StellaOps Zastava Agent
        system: true
        shell: /usr/sbin/nologin
        groups: "{{ zastava_group }}"
        create_home: false
        state: present

    - name: Create installation directory
      ansible.builtin.file:
        path: "{{ zastava_install_dir }}"
        state: directory
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        mode: '0755'

    - name: Create configuration directory
      ansible.builtin.file:
        path: "{{ zastava_config_dir }}"
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Create data directory
      ansible.builtin.file:
        path: "{{ zastava_data_dir }}"
        state: directory
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        mode: '0750'

    - name: Create event buffer directory
      ansible.builtin.file:
        path: "{{ zastava_data_dir }}/runtime-events"
        state: directory
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        mode: '0750'

    # =========================================================================
    # Download and Install Agent
    # =========================================================================

    - name: Determine architecture
      ansible.builtin.set_fact:
        arch_suffix: "{{ 'x64' if ansible_architecture == 'x86_64' else 'arm64' if ansible_architecture == 'aarch64' else ansible_architecture }}"

    - name: Download Zastava Agent binary
      ansible.builtin.get_url:
        url: "{{ download_base_url }}/zastava-agent/{{ zastava_version }}/zastava-agent-linux-{{ arch_suffix }}.tar.gz"
        dest: /tmp/zastava-agent.tar.gz
        mode: '0644'
      register: download_result
      retries: 3
      delay: 5

    - name: Extract Zastava Agent
      ansible.builtin.unarchive:
        src: /tmp/zastava-agent.tar.gz
        dest: "{{ zastava_install_dir }}"
        remote_src: true
        owner: "{{ zastava_user }}"
        group: "{{ zastava_group }}"
        extra_opts:
          - --strip-components=1
      notify: Restart zastava-agent

    - name: Make agent binary executable
      ansible.builtin.file:
        path: "{{ zastava_install_dir }}/StellaOps.Zastava.Agent"
        mode: '0755'

    - name: Clean up downloaded archive
      ansible.builtin.file:
        path: /tmp/zastava-agent.tar.gz
        state: absent

    # =========================================================================
    # Configuration
    # =========================================================================

    - name: Deploy environment configuration
      ansible.builtin.template:
        src: zastava-agent.env.j2
        dest: "{{ zastava_config_dir }}/zastava-agent.env"
        owner: root
        group: "{{ zastava_group }}"
        mode: '0640'
      notify: Restart zastava-agent

    # =========================================================================
    # systemd Service
    # =========================================================================

    - name: Install systemd service unit
      ansible.builtin.copy:
        src: zastava-agent.service
        dest: /etc/systemd/system/zastava-agent.service
        owner: root
        group: root
        mode: '0644'
      notify:
        - Reload systemd
        - Restart zastava-agent

    - name: Enable and start zastava-agent service
      ansible.builtin.systemd:
        name: zastava-agent
        state: started
        enabled: true
        daemon_reload: true

    # =========================================================================
    # Health Verification
    # =========================================================================

    - name: Wait for agent health endpoint
      ansible.builtin.uri:
        url: "http://localhost:{{ zastava_health_port }}/healthz"
        method: GET
        status_code: 200
      register: health_result
      retries: 30
      delay: 2
      until: health_result.status == 200

    - name: Display agent status
      ansible.builtin.debug:
        msg: "Zastava Agent deployed successfully on {{ inventory_hostname }}"

  handlers:
    - name: Reload systemd
      ansible.builtin.systemd:
        daemon_reload: true

    - name: Restart zastava-agent
      ansible.builtin.systemd:
        name: zastava-agent
        state: restarted

# =============================================================================
# Post-deployment verification play
# =============================================================================
- name: Verify Zastava Agent Deployment
  hosts: zastava_agents
  become: false
  gather_facts: false

  tasks:
    - name: Check agent readiness
      ansible.builtin.uri:
        url: "http://localhost:{{ zastava_health_port | default(8080) }}/readyz"
        method: GET
        return_content: true
      register: ready_check

    - name: Display deployment summary
      ansible.builtin.debug:
        msg: |
          Zastava Agent Deployment Summary:
          - Host: {{ inventory_hostname }}
          - Status: {{ 'Ready' if ready_check.status == 200 else 'Not Ready' }}
          - Health Endpoint: http://localhost:{{ zastava_health_port | default(8080) }}/healthz
          - Tenant: {{ zastava_tenant }}
          - Backend: {{ scanner_backend_url }}