---
- name: Ensure system input is a dictionary
  ansible.builtin.set_fact:
    system: "{{ system | default({}) }}"

- name: Validate system input types
  ansible.builtin.assert:
    that:
      - system is mapping
      - system.network is not defined or system.network is mapping
      - system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
      - system.root is not defined or system.root is mapping
      - system.luks is not defined or system.luks is mapping
      - system.features is not defined or system.features is mapping
    fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
    quiet: true

- name: Validate DNS lists (not strings)
  when: system.network is defined and system.network.dns is defined
  ansible.builtin.assert:
    that:
      - system.network.dns.servers is not defined or (system.network.dns.servers is iterable and system.network.dns.servers is not string)
      - system.network.dns.search is not defined or (system.network.dns.search is iterable and system.network.dns.search is not string)
    fail_msg: "system.network.dns.servers and system.network.dns.search must be lists, not strings."
    quiet: true

- name: Validate system.users entries
  when: system.users is defined and system.users | length > 0
  ansible.builtin.assert:
    that:
      - item is mapping
      - item.name is defined and (item.name | string | length) > 0
      - item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string)
    fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
    quiet: true
  loop: "{{ system.users }}"
  loop_control:
    label: "{{ item.name | default('(unnamed)') }}"

- name: Validate system features input types
  when: system.features is defined
  loop: "{{ system_defaults.features | dict2items | map(attribute='key') | list }}"
  loop_control:
    label: "system.features.{{ item }}"
  ansible.builtin.assert:
    that:
      - (system.features[item] | default({})) is mapping
    fail_msg: "system.features.{{ item }} must be a dictionary."
    quiet: true

- name: Validate system LUKS TPM2 input type
  when: system.luks is defined and system.luks is mapping
  ansible.builtin.assert:
    that:
      - system.luks.tpm2 is not defined or system.luks.tpm2 is mapping
    fail_msg: "system.luks.tpm2 must be a dictionary."
    quiet: true