---
- name: Create and configure VMs
  hosts: "{{ bootstrap_target | default('all') }}"
  strategy: free # noqa: run-once[play]
  gather_facts: false
  become: true
  vars_prompt:
    - name: user_name
      prompt: |
        What is your username?
      private: false

    - name: user_public_key
      prompt: |
        What is your ssh key?
      private: false

    - name: user_password
      prompt: |
        What is your password?
      confirm: true

    - name: root_password
      prompt: |
        What is your root password?
      confirm: true
  pre_tasks:
    - name: Apply prompted authentication values to system input
      vars:
        system_input: "{{ system | default({}) }}"
        system_users_input: "{{ system_input.users | default([]) }}"
        system_first_user: >-
          {{
            system_users_input[0]
            if (system_users_input is iterable and system_users_input is not string
                and system_users_input is not mapping and system_users_input | length > 0)
            else {}
          }}
        system_root_input: "{{ (system_input.root | default({})) if (system_input.root is mapping) else {} }}"
        prompt_user_name: "{{ user_name | default(system_user_name | default(''), true) | string }}"
        prompt_user_key: "{{ user_public_key | default(user_key | default(system_user_key | default(''), true), true) | string | trim }}"
        prompt_user_password: "{{ user_password | default(system_user_password | default(''), true) | string }}"
        prompt_root_password: "{{ root_password | default(system_root_password | default(''), true) | string }}"
        resolved_user:
          name: >-
            {{
              system_first_user.name | string
              if (system_first_user.name | default('') | string | length) > 0
              else prompt_user_name
            }}
          keys: >-
            {{
              system_first_user['keys']
              if (system_first_user['keys'] is defined
                  and system_first_user['keys'] is iterable
                  and system_first_user['keys'] is not string
                  and system_first_user['keys'] | length > 0)
              else (
                [prompt_user_key]
                if (prompt_user_key | length > 0)
                else []
              )
            }}
          password: >-
            {{
              system_first_user.password | string
              if (system_first_user.password | default('') | string | length) > 0
              else prompt_user_password
            }}
      ansible.builtin.set_fact:
        system: >-
          {{
            system_input
            | combine(
                {
                  'users': (
                    [resolved_user]
                    + (system_users_input[1:]
                       if (system_users_input is sequence
                           and system_users_input is not string
                           and system_users_input | length > 1)
                       else [])
                  ),
                  'root': {
                    'password': (
                      (system_root_input.password | default('') | string | length) > 0
                    ) | ternary(system_root_input.password | string, prompt_root_password)
                  }
                },
                recursive=True
              )
          }}

    - name: Load global defaults
      ansible.builtin.import_role:
        name: global_defaults

    - name: Perform safety checks
      ansible.builtin.import_role:
        name: system_check

  roles:
    - role: virtualization
      when: system_cfg.type == "virtual"
      become: false
      vars:
        ansible_connection: local

    - role: environment
      vars:
        ansible_connection: "{{ 'vmware_tools' if hypervisor_type == 'vmware' else 'ssh' }}"

    - role: partitioning
      vars:
        partitioning_boot_partition_suffix: 1
        partitioning_main_partition_suffix: 2

    - role: bootstrap

    - role: configuration

    - role: cis
      when: system_cfg.features.cis.enabled | bool

    - role: cleanup
      when: system_cfg.type in ["virtual", "physical"]
      become: false

  post_tasks:
    - name: Set post-reboot connection flags
      ansible.builtin.set_fact:
        post_reboot_can_connect: >-
          {{
            (ansible_connection | default('ssh')) != 'ssh'
            or ((system_cfg.network.ip | default('') | string | length) > 0)
            or (
              system_cfg.type == 'physical'
              and (ansible_host | default('') | string | length) > 0
            )
          }}

    - name: Reset SSH connection before post-reboot tasks
      when:
        - post_reboot_can_connect | bool
      ansible.builtin.meta: reset_connection

    - name: Set final SSH credentials for post-reboot tasks
      when:
        - post_reboot_can_connect | bool
      ansible.builtin.set_fact:
        ansible_user: "{{ system_cfg.users[0].name }}"
        ansible_password: "{{ system_cfg.users[0].password }}"
        ansible_become_password: "{{ system_cfg.users[0].password }}"
        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
        ansible_python_interpreter: /usr/bin/python3

    - name: Re-gather facts for target OS after reboot
      when:
        - post_reboot_can_connect | bool
      ansible.builtin.setup:
        gather_subset:
          - "!all"
          - min
          - pkg_mgr

    - name: Install post-reboot packages
      when:
        - post_reboot_can_connect | bool
        - system_cfg.packages is defined
        - system_cfg.packages | length > 0
      ansible.builtin.package:
        name: "{{ system_cfg.packages }}"
        state: present