---
- name: Configure shim-based Secure Boot
  vars:
    _efi_vendor: >-
      {{
        "redhat" if os == "rhel"
        else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
      }}
  block:
    - name: Find shim binary in target system
      ansible.builtin.command: >-
        {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
        -name 'shimx64.efi*' -type f -print -quit
      register: _shim_find_result
      changed_when: false
      failed_when: false

    - name: Copy shim to EFI vendor directory
      when:
        - _shim_find_result.stdout | default('') | length > 0
        - _configuration_platform.grub_install | bool
      ansible.builtin.command: >-
        cp {{ _shim_find_result.stdout_lines | first }}
        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
      register: _shim_copy_result
      changed_when: _shim_copy_result.rc == 0

    - name: Enroll Secure Boot keys via efi-updatevar
      when: system_cfg.type == 'virtual'
      block:
        - name: Check if efi-updatevar is available
          ansible.builtin.command: which efi-updatevar
          register: _efi_updatevar_check
          changed_when: false
          failed_when: false

        - name: Enroll default UEFI Secure Boot keys
          when: _efi_updatevar_check.rc == 0
          ansible.builtin.command: >-
            {{ chroot_command }} sbctl enroll-keys --microsoft
          register: _sb_enroll_result
          changed_when: _sb_enroll_result.rc == 0
          failed_when: false

    - name: Verify shim is present
      ansible.builtin.stat:
        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
      register: _shim_stat

    - name: Report Secure Boot status
      ansible.builtin.debug:
        msg: >-
          Secure Boot (shim): {{
            'shimx64.efi installed'
            if (_shim_stat.stat.exists | default(false))
            else 'shimx64.efi not found, shim package may handle placement on first boot'
          }}