- name: Deploy 03-02 Traefik ACME (gated)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    manifest_src: "{{ playbook_dir }}/../../files/03-02-traefik-acme/traefik-acme.yaml"
    manifest_dest: /tmp/traefik-acme.yaml
    acme_email: "{{ ACME_EMAIL | default('') }}"
  tasks:
    - name: "Gate - require ACME_EMAIL and cloudflare-api-token secret"
      ansible.builtin.shell: |
        set -e
        test -n "{{ acme_email }}"
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflare-api-token >/dev/null
      args:
        executable: /bin/bash
      register: acme_gate
      changed_when: false
      failed_when: false

    - name: Copy manifest
      when: acme_gate.rc == 0
      ansible.builtin.copy:
        src: "{{ manifest_src }}"
        dest: "{{ manifest_dest }}"
        mode: "0644"

    - name: Replace ACME email placeholder
      when: acme_gate.rc == 0
      ansible.builtin.shell: |
        set -e
        sed -i "s/<YOUR_REAL_EMAIL>/{{ acme_email | replace('/', '\\/') }}/g" {{ manifest_dest }}
      args:
        executable: /bin/bash
      changed_when: true

    - name: Apply manifest + restart traefik
      when: acme_gate.rc == 0
      ansible.builtin.shell: |
        set -e
        KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f {{ manifest_dest }}
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system rollout restart deploy/traefik || true
      args:
        executable: /bin/bash
      changed_when: true

- name: Verify 03-02 Traefik ACME (gated)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    acme_email: "{{ ACME_EMAIL | default('') }}"
  tasks:
    - name: "Gate - require ACME_EMAIL and cloudflare-api-token secret"
      ansible.builtin.shell: |
        set -e
        test -n "{{ acme_email }}"
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflare-api-token >/dev/null
      args:
        executable: /bin/bash
      register: acme_gate
      changed_when: false
      failed_when: false

    - name: Wait traefik rollout
      when: acme_gate.rc == 0
      ansible.builtin.shell: |
        set -e
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system rollout status deploy/traefik --timeout=180s
      args:
        executable: /bin/bash
      changed_when: false

- name: Teardown 03-02 Traefik ACME (optional)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    verify_teardown: "{{ (VERIFY_TEARDOWN | default('1')) | string }}"
    manifest_dest: /tmp/traefik-acme.yaml
    acme_email: "{{ ACME_EMAIL | default('') }}"
  tasks:
    - name: Delete resources when VERIFY_TEARDOWN=1
      when: verify_teardown == "1"
      ansible.builtin.shell: |
        set -e
        # gated：只有在 deploy gate 通过且文件存在时才清理；否则跳过，避免 fail-fast。
        test -n "{{ acme_email }}"
        test -f "{{ manifest_dest }}"
        KUBECONFIG={{ k3s_kubeconfig }} kubectl delete -f {{ manifest_dest }} --ignore-not-found=true
      args:
        executable: /bin/bash
      changed_when: true
      failed_when: false