---
# playbooks/docker/heimdall_update.yml
# OS package update for the Heimdall edge router host.
#
# ─────────────────────────────────────────────────────────────────────────────
# ⚠️  HUMAN-TRIGGERED ONLY — do not automate or schedule.
#     Heimdall is a standalone Docker host (not in Swarm) — no drain needed.
#     Reboot will take Traefik/edge routing offline briefly.
# ─────────────────────────────────────────────────────────────────────────────
#
# What this does:
#   1. Runs apt dist-upgrade
#   2. Reboots if a newer kernel was installed and waits for return
#   3. Verifies Docker is back up before completing
#
# Usage:
#   ansible-playbook -i inventory/hosts.ini playbooks/docker/heimdall_update.yml
#
#   # Dry-run:
#   ansible-playbook -i inventory/hosts.ini playbooks/docker/heimdall_update.yml --check
#
#   # Update packages but skip reboot even if kernel changed:
#   ansible-playbook -i inventory/hosts.ini playbooks/docker/heimdall_update.yml --skip-tags reboot

- name: Heimdall OS update
  hosts: heimdall
  become: true

  tasks:
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 0

    - name: Run apt dist-upgrade
      ansible.builtin.apt:
        upgrade: dist
        update_cache: false
      register: dist_upgrade_result
      tags: [update]

    - name: Check if a newer kernel is installed but not yet booted
      ansible.builtin.shell: |
        LATEST=$(ls /boot/vmlinuz-* | sort -V | tail -1 | sed 's|/boot/vmlinuz-||')
        RUNNING=$(uname -r)
        if [ "$LATEST" != "$RUNNING" ]; then echo "reboot_needed"; fi
      register: reboot_check
      changed_when: false
      check_mode: false
      tags: [reboot]

    - name: Reboot if a newer kernel is installed
      ansible.builtin.reboot:
        msg: "Rebooting into updated kernel — initiated by heimdall_update.yml"
        reboot_timeout: 300
      when: reboot_check.stdout | trim == 'reboot_needed'
      tags: [reboot]

    - name: Wait for Heimdall to return post-reboot
      ansible.builtin.wait_for_connection:
        delay: 10
        timeout: 300
      when: reboot_check.stdout | trim == 'reboot_needed'
      tags: [reboot]

    - name: Wait for Docker daemon to be ready after reboot
      ansible.builtin.command: docker info
      register: docker_ready
      until: docker_ready.rc == 0
      retries: 18
      delay: 10
      changed_when: false
      check_mode: false
      when: reboot_check.stdout | trim == 'reboot_needed'
      tags: [reboot]

    - name: Report result
      ansible.builtin.debug:
        msg: >-
          ✅ Heimdall updated.
          {{ 'Rebooted into new kernel.' if reboot_check.stdout | trim == 'reboot_needed' else 'No kernel change — reboot not required.' }}