---
# Node Onboarding Playbook
# Purpose: Bootstrap new nodes for Ansible management
# Usage: ansible-playbook playbooks/onboard-nodes.yml -k -K
#        (-k prompts for SSH password, -K prompts for sudo password)

- name: Onboard new nodes to Ansible control
  hosts: physical_servers
  gather_facts: true
  become: false
  tasks:
    - name: Gather OS facts
      ansible.builtin.setup:
        gather_subset:
          - "!all"
          - "!min"
          - "network"
          - "distribution"

    - name: Display target host information
      ansible.builtin.debug:
        msg: |
          Onboarding {{ inventory_hostname }}
          IP: {{ ansible_host }}
          Distribution: {{ ansible_distribution }} {{ ansible_distribution_version }}
          Architecture: {{ ansible_architecture }}

    - name: Ensure .ssh directory exists
      ansible.builtin.file:
        path: "/home/{{ ansible_user }}/.ssh"
        state: directory
        mode: "0700"
        owner: "{{ ansible_user }}"
        group: "{{ ansible_user }}"

    - name: Deploy watchtower SSH public key
      ansible.builtin.authorized_key:
        user: "{{ ansible_user }}"
        state: present
        key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9ryXcRsMITcIW+Rc0t3Qou7XGfyIeihLR2PInySogp ansible@watchtower"
        comment: "ansible@watchtower"

    - name: Test passwordless sudo access
      ansible.builtin.command: sudo -n true
      register: sudo_check
      changed_when: false
      failed_when: false

    - name: Display sudo access status
      ansible.builtin.debug:
        msg: >-
          {% if sudo_check.rc == 0 %}
          ✅ Passwordless sudo is configured
          {% else %}
          ⚠️  Passwordless sudo is NOT configured - some playbooks may require -K flag
          {% endif %}

    - name: Verify Python 3 is available
      ansible.builtin.command: python3 --version
      register: python_version
      changed_when: false

    - name: Display Python version
      ansible.builtin.debug:
        msg: "Python: {{ python_version.stdout }}"

    - name: Check if Docker is installed
      ansible.builtin.command: docker --version
      register: docker_check
      changed_when: false
      failed_when: false

    - name: Display Docker status
      ansible.builtin.debug:
        msg: >-
          {% if docker_check.rc == 0 %}
          ✅ Docker installed: {{ docker_check.stdout }}
          {% else %}
          ⚠️  Docker is NOT installed
          {% endif %}

    - name: Check NFS mount point
      ansible.builtin.stat:
        path: /mnt/appdata
      register: nfs_mount

    - name: Display NFS mount status
      ansible.builtin.debug:
        msg: >-
          {% if nfs_mount.stat.exists %}
          ✅ /mnt/appdata exists
          {% else %}
          ⚠️  /mnt/appdata does NOT exist
          {% endif %}

    - name: Create onboarding summary
      ansible.builtin.debug:
        msg:
          - "=========================================="
          - "Onboarding Complete for {{ inventory_hostname }}"
          - "=========================================="
          - "✅ SSH key deployed"
          - "✅ Host is reachable"
          - "Next steps:"
          - "  • Test connectivity: ansible {{ inventory_hostname }} -m ping"
          - "  • Verify sudo: ansible {{ inventory_hostname }} -b -m command -a 'whoami'"