---
- name: Remove Archiso and cloud-init disks
  when: hypervisor_type == "libvirt"
  delegate_to: localhost
  become: false
  block:
    - name: Read current VM XML definition
      community.libvirt.virt:
        command: get_xml
        name: "{{ hostname }}"
      register: cleanup_libvirt_get_xml
      changed_when: false

    - name: Initialize cleaned VM XML
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}"

    - name: Remove boot ISO device from VM XML (source match)
      when: boot_iso is defined and boot_iso | length > 0
      community.general.xml:
        xmlstring: "{{ cleanup_libvirt_domain_xml }}"
        xpath: "/domain/devices/disk[contains(source/@file, '{{ boot_iso | basename }}')]"
        state: absent
      register: cleanup_libvirt_xml_strip_boot_source

    - name: Update cleaned VM XML after removing boot ISO source match
      when: boot_iso is defined and boot_iso | length > 0
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"

    - name: Remove boot ISO device from VM XML (target fallback)
      community.general.xml:
        xmlstring: "{{ cleanup_libvirt_domain_xml }}"
        xpath: "/domain/devices/disk[target/@dev='sda']"
        state: absent
      register: cleanup_libvirt_xml_strip_boot

    - name: Update cleaned VM XML after removing boot ISO
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"

    - name: Remove cloud-init ISO device from VM XML (source match)
      community.general.xml:
        xmlstring: "{{ cleanup_libvirt_domain_xml }}"
        xpath: "/domain/devices/disk[contains(source/@file, '{{ hostname }}-cloudinit.iso')]"
        state: absent
      register: cleanup_libvirt_xml_strip_cloudinit_source

    - name: Update cleaned VM XML after removing cloud-init ISO source match
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}"

    - name: Remove cloud-init ISO device from VM XML (target fallback)
      community.general.xml:
        xmlstring: "{{ cleanup_libvirt_domain_xml }}"
        xpath: "/domain/devices/disk[target/@dev='sdb']"
        state: absent
      register: cleanup_libvirt_xml_strip_cloudinit

    - name: Update cleaned VM XML after removing cloud-init ISO
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}"

    - name: Strip XML declaration for libvirt define
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml_clean: >-
          {{
            cleanup_libvirt_domain_xml
            | replace('\ufeff', '')
            | regex_replace("(?is)<\\?xml[^>]*\\?>", "")
            | regex_replace("(?i)encoding=[\"'][^\"']+[\"']", "")
            | trim
          }}

    - name: Ensure boot device is set to hard disk in VM XML
      when: "'<boot ' not in cleanup_libvirt_domain_xml_clean"
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml_clean: >-
          {{ cleanup_libvirt_domain_xml_clean | regex_replace('(</type>)', '\1\n    <boot dev="hd"/>') }}

    - name: Update VM definition without installer media
      community.libvirt.virt:
        command: define
        xml: "{{ cleanup_libvirt_domain_xml_clean }}"

    - name: Remove cloud-init disk
      ansible.builtin.file:
        path: "{{ virtualization_libvirt_cloudinit_path }}"
        state: absent

    - name: Ensure VM is powered off before restart
      community.libvirt.virt:
        name: "{{ hostname }}"
        state: destroyed
      failed_when: false

    - name: Enroll Secure Boot keys in VM NVRAM
      when:
        - system_cfg.features.secure_boot.enabled | default(false) | bool
        - os != 'archlinux'
      block:
        - name: Find VM NVRAM file path
          ansible.builtin.shell:
            cmd: >-
              set -o pipefail &&
              virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
              | grep -oP '<nvram[^>]*>\K[^<]+'
            executable: /bin/bash
          register: _sb_nvram_path
          changed_when: false
          failed_when: false

        - name: Enroll Secure Boot keys via virt-fw-vars
          when: _sb_nvram_path.stdout | default('') | length > 0
          ansible.builtin.command:
            argv:
              - virt-fw-vars
              - --inplace
              - "{{ _sb_nvram_path.stdout | trim }}"
              - --enroll-redhat
              - --secure-boot
          register: _sb_enroll_result
          changed_when: _sb_enroll_result.rc == 0
          failed_when: false

    - name: Start the VM
      community.libvirt.virt:
        name: "{{ hostname }}"
        state: running

    # delegate_to inventory_hostname: overrides play-level localhost to run wait_for_connection against the VM
    - name: Wait for VM to boot up
      delegate_to: "{{ inventory_hostname }}"
      ansible.builtin.wait_for_connection:
        timeout: 300
      failed_when: false
      changed_when: false