---
# Pre-condition: the target host must already be converged by railiance-infra
# (`make converge` in that repo) before running this playbook.
# OS hardening (SSH, UFW, fail2ban) is owned by railiance-infra — see ADR-003.

- name: Railiance host bootstrap — k3s + Helm
  hosts: all
  become: true
  vars:
    k3s_version: "v1.35.1+k3s1"
    helm_version: "v3.17.3"
    kubeconfig_local_path: "~/.kube/config-hosteurope"

  tasks:
    # ── Base packages ────────────────────────────────────────────────────────
    - name: Ensure base packages
      apt:
        name:
          - curl
          - git
          - jq
        update_cache: yes
        state: present

    # ── k3s ──────────────────────────────────────────────────────────────────
    - name: Install k3s (server, pinned version)
      shell: |
        curl -sfL https://get.k3s.io | \
          INSTALL_K3S_VERSION="{{ k3s_version }}" \
          INSTALL_K3S_EXEC="server --cluster-init --write-kubeconfig-mode=644" \
          sh -
      args:
        creates: /usr/local/bin/k3s

    - name: Wait for k3s service to be active
      systemd:
        name: k3s
        state: started
        enabled: true

    - name: Wait for node to reach Ready state
      shell: k3s kubectl wait node --all --for=condition=Ready --timeout=120s
      changed_when: false

    - name: Verify k3s node
      shell: k3s kubectl get nodes
      register: nodes
      changed_when: false

    - debug: var=nodes.stdout_lines

    # ── Helm ─────────────────────────────────────────────────────────────────
    - name: Check if Helm is already installed at correct version
      shell: helm version --short 2>/dev/null || true
      register: helm_installed
      changed_when: false

    - name: Download Helm archive and checksum
      shell: |
        cd /tmp
        curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz"
        curl -sfLO "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum"
        sha256sum -c "helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum"
      when: helm_version not in helm_installed.stdout

    - name: Extract and install Helm
      shell: |
        tar -xzf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz -C /tmp
        install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
        rm -rf /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz /tmp/helm-{{ helm_version }}-linux-amd64.tar.gz.sha256sum /tmp/linux-amd64
      when: helm_version not in helm_installed.stdout

    - name: Verify Helm
      shell: helm version --short
      register: helm_ver
      changed_when: false

    - debug: var=helm_ver.stdout

    # ── Kubeconfig ───────────────────────────────────────────────────────────
    - name: Fetch kubeconfig to control node
      fetch:
        src: /etc/rancher/k3s/k3s.yaml
        dest: "{{ kubeconfig_local_path }}"
        flat: yes

    - name: Fix server address in fetched kubeconfig
      delegate_to: localhost
      become: false
      replace:
        path: "{{ kubeconfig_local_path }}"
        regexp: 'server: https://127\.0\.0\.1:6443'
        replace: "server: https://{{ ansible_host }}:6443"