---
# One-time run to deploy Watchtower's SSH public key to TerraMaster.
# After this succeeds, --ask-pass is no longer needed for terramaster playbooks.
#
# Usage:
#   ansible-playbook playbooks/storage/terramaster_deploy_ssh_key.yml --ask-pass

- name: Deploy SSH public key to TerraMaster
  hosts: terramaster
  gather_facts: false
  become: false

  vars:
    ssh_public_key_path: "/home/chester/.ssh/id_ed25519.pub"

  tasks:
    - name: Verify public key file exists on control node
      ansible.builtin.stat:
        path: "{{ ssh_public_key_path }}"
      register: pubkey_stat
      delegate_to: localhost
      failed_when: not pubkey_stat.stat.exists

    - name: Read public key content from control node
      ansible.builtin.slurp:
        src: "{{ ssh_public_key_path }}"
      register: pubkey_content
      delegate_to: localhost

    - name: Ensure ~/.ssh directory exists on TerraMaster
      ansible.builtin.raw: "mkdir -p ~/.ssh && chmod 700 ~/.ssh"
      changed_when: false

    - name: Deploy public key to TerraMaster authorized_keys
      ansible.builtin.raw: |
        key="{{ pubkey_content.content | b64decode | trim }}"
        if ! grep -qF "$key" ~/.ssh/authorized_keys 2>/dev/null; then
          echo "$key" >> ~/.ssh/authorized_keys
          chmod 600 ~/.ssh/authorized_keys
          echo "KEY_ADDED"
        else
          echo "KEY_ALREADY_PRESENT"
        fi
      register: key_deploy_result
      changed_when: "'KEY_ADDED' in key_deploy_result.stdout"

    - name: Report key deployment result
      ansible.builtin.debug:
        msg: "{{ key_deploy_result.stdout | trim }}"