---

- name: Deploy Headscale
  ansible.builtin.import_tasks: manage-docker-compose-service.yml
  vars:
    service_name: headscale
    template_render_dir: "../templates/headscale"
    service_destination_dir: "{{ headscale_base }}"
    state: started
    rollout_services:
      - name: headscale

- name: Generate Headscale API key (if requested)
  when: generate_api_key | default(false)
  block:
    - name: Execute API key generation command
      ansible.builtin.command:
        cmd: "docker compose exec headscale headscale apikeys create --expiration {{ api_key_expiration }}"
        chdir: /etc/docker/compose/headscale
      register: api_key_result
      changed_when: true

    - name: Store and display newly generated API key
      block:
        - name: Store API Key in fact
          ansible.builtin.set_fact:
            headscale_api_key: "{{ api_key_result.stdout }}"

        - name: Display API Key (Requires User Action)
          ansible.builtin.debug:
            msg: "IMPORTANT: Please store this newly generated Headscale API Key! {{ headscale_api_key }}"

        - name: Pause for user confirmation (API Key)
          ansible.builtin.pause:
            prompt: "API Key displayed. Press return to continue..."
      when: api_key_result.rc == 0 # Only proceed if key generation succeeded

- name: Create Headscale system user and auth key (if requested)
  when: generate_auth_key | default(false) # Default to false if var is undefined
  block:
    # Note: These steps might not be fully idempotent. Re-running will attempt creation again.
    - name: Create system key user '{{ auth_key_user }}'
      ansible.builtin.command: # Using command module is safer
        cmd: "docker compose exec headscale headscale users create {{ auth_key_user }}"
        chdir: /etc/docker/compose/headscale
      register: user_create_result
      changed_when: "'User created' in user_create_result.stdout"
      failed_when: user_create_result.rc != 0 and 'Cannot create user' not in user_create_result.stderr

    - name: Create auth key for user '{{ auth_key_user }}'
      ansible.builtin.command: # Using command module is safer
        cmd: "docker compose exec headscale headscale preauthkeys create --reusable --expiration {{ auth_key_expiration }} --user {{ auth_key_user }}"
        chdir: /etc/docker/compose/headscale
      register: auth_key_result
      changed_when: true

    - name: Store and display newly generated Auth Key
      block:
        # This stores the *newly generated* key. Be aware of Ansible variable precedence
        # if 'headscale_user_auth_key' is also defined elsewhere (like vaults).
        # This fact is primarily for immediate display and user interaction below.
        - name: Store Auth Key in fact
          ansible.builtin.set_fact:
            headscale_user_auth_key: "{{ auth_key_result.stdout }}"

        - name: Display Auth Key (Requires User Action)
          ansible.builtin.debug:
            msg: "IMPORTANT: Please store this newly generated Auth Key for user '{{ auth_key_user }}'! {{ headscale_user_auth_key }}"

        - name: Pause for user confirmation (Auth Key)
          ansible.builtin.pause:
            prompt: "Auth Key displayed. Press return to continue..."
      when: auth_key_result.rc == 0

- name: Deploy Open Internet -> Headnet Proxy
  ansible.builtin.import_tasks: manage-docker-compose-service.yml
  vars:
    service_name: proxy
    template_render_dir: "../templates/proxy"
    service_destination_dir: "{{ proxy_base }}"
    state: started
    rollout_services:
      - name: "{{ vpn_proxy_filter_container_name }}"