---
- name: Install age
  ansible.builtin.shell: |
    set -euo pipefail
    if ! command -v age >/dev/null; then
      curl -fsSL https://github.com/FiloSottile/age/releases/download/v1.1.1/age-v1.1.1-linux-amd64.tar.gz         | tar xz -C /usr/local/bin --strip-components=1 age/age
    fi
  args:
    executable: /bin/bash

- name: Install sops
  ansible.builtin.get_url:
    url: https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
    dest: /usr/local/bin/sops
    mode: '0755'

- name: Create SOPS age dir
  ansible.builtin.file:
    path: /root/.config/sops/age
    state: directory
    mode: '0700'

# In production, you would inject the private key at runtime; do NOT store it on hosts by default.
# This task is intentionally a placeholder (disabled by default).
# - name: (optional) Drop SOPS_AGE_KEY for automation
#   ansible.builtin.copy:
#     dest: /root/.config/sops/age/keys.txt
#     content: "{{ sops_age_private_key }}"
#     mode: '0600'
#   when: sops_age_private_key is defined