---
- name: Configure LUKS encryption
  when: system_cfg.luks.enabled | bool
  block:
    - name: Validate LUKS passphrase
      ansible.builtin.assert:
        that:
          - (system_cfg.luks.passphrase | string | length) > 0
        fail_msg: system.luks.passphrase must be set when LUKS is enabled.
      no_log: true

    - name: Ensure LUKS container exists
      community.crypto.luks_device:
        device: "{{ partitioning_luks_device }}"
        state: present
        type: "{{ system_cfg.luks.type }}"
        cipher: "{{ system_cfg.luks.cipher }}"
        hash: "{{ system_cfg.luks.hash }}"
        keysize: "{{ system_cfg.luks.bits }}"
        pbkdf:
          algorithm: "{{ system_cfg.luks.pbkdf }}"
          iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
        passphrase: "{{ system_cfg.luks.passphrase | string }}"
      no_log: true

    - name: Force-close LUKS mapper
      community.crypto.luks_device:
        name: "{{ system_cfg.luks.mapper }}"
        state: closed
      failed_when: false

    - name: Force-remove LUKS mapper device
      ansible.builtin.command: >-
        dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
      register: partitioning_dmsetup_remove_after_format
      changed_when: partitioning_dmsetup_remove_after_format.rc == 0
      failed_when: false

    - name: Settle udev after removing LUKS mapper
      ansible.builtin.command: udevadm settle
      changed_when: false
      failed_when: false

    - name: Ensure LUKS mapper is opened
      block:
        - name: Open LUKS device
          community.crypto.luks_device:
            device: "{{ partitioning_luks_device }}"
            state: opened
            name: "{{ system_cfg.luks.mapper }}"
            passphrase: "{{ system_cfg.luks.passphrase | string }}"
            allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
          no_log: true
      rescue:
        - name: Force-close stale LUKS mapper
          community.crypto.luks_device:
            name: "{{ system_cfg.luks.mapper }}"
            state: closed
          failed_when: false

        - name: Force-remove stale LUKS mapper device
          ansible.builtin.command: >-
            dmsetup remove --force --retry {{ system_cfg.luks.mapper }}
          register: partitioning_dmsetup_remove_retry
          changed_when: partitioning_dmsetup_remove_retry.rc == 0
          failed_when: false

        - name: Settle udev after removing stale LUKS mapper
          ansible.builtin.command: udevadm settle
          changed_when: false
          failed_when: false

        - name: Retry opening LUKS device
          community.crypto.luks_device:
            device: "{{ partitioning_luks_device }}"
            state: opened
            name: "{{ system_cfg.luks.mapper }}"
            passphrase: "{{ system_cfg.luks.passphrase | string }}"
            allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
          no_log: true

    - name: Get LUKS UUID
      ansible.builtin.command: "cryptsetup luksUUID {{ partitioning_luks_device }}"
      register: partitioning_luks_uuid_result
      changed_when: false

    - name: Store LUKS UUID
      ansible.builtin.set_fact:
        partitioning_luks_uuid: "{{ partitioning_luks_uuid_result.stdout | trim }}"