---
# roles/swarm_node_exporter/tasks/main.yml
# Deploy node-exporter on each swarm node for host metrics collection

- name: Ensure node-exporter container is running
  community.docker.docker_container:
    name: "{{ node_exporter_container_name }}"
    image: "prom/node-exporter:{{ node_exporter_version }}"
    state: started
    restart_policy: "{{ node_exporter_restart_policy }}"
    volumes: "{{ node_exporter_volumes }}"
    command:
      - '--path.procfs=/host/proc'
      - '--path.sysfs=/host/sys'
      - '--path.rootfs=/rootfs'
      - '--collector.filesystem.mount-points-exclude=^/(sys|proc|dev|host|etc)($$|/)'
    network_mode: "host"
    # === SECURITY HARDENING ===
    read_only: true
    security_opts:
      - no-new-privileges:true
    cap_drop:
      - ALL
    # === RESOURCE LIMITS ===
    memory: "{{ node_exporter_memory_limit }}"
    cpus: "{{ node_exporter_cpu_limit }}"
  register: node_exporter_container

- name: Verify node-exporter is responding
  ansible.builtin.uri:
    url: "http://localhost:{{ node_exporter_port }}/metrics"
    method: GET
    status_code: 200
  retries: 3
  delay: 5
  register: exporter_health
  failed_when: exporter_health.status != 200

- name: Display node-exporter endpoint
  ansible.builtin.debug:
    msg: "✅ node-exporter is running on {{ ansible_hostname }}:{{ node_exporter_port }}"