# Pull the release tarball from the Forgejo Package Registry and
# extract it under /opt/veza/<component>/<sha>/. Atomic via the
# `current` symlink: nothing visible to the running service until
# the symlink swap at the end. Idempotent: re-running this task with
# the same SHA is a no-op once VERSION exists.
---
- name: Ensure veza_app system user exists
  ansible.builtin.user:
    name: "{{ veza_app_user }}"
    system: true
    shell: /usr/sbin/nologin
    home: "{{ veza_app_install_dir }}"
    create_home: false
  tags: [veza_app, artifact]

- name: Ensure install + log directories
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: "{{ veza_app_user }}"
    group: "{{ veza_app_group }}"
    mode: "0755"
  loop:
    - "{{ veza_app_install_dir }}"
    - "{{ veza_app_release_dir }}"
    - "{{ veza_log_root }}"
  tags: [veza_app, artifact]

- name: Fetch release tarball into /tmp
  ansible.builtin.get_url:
    url: "{{ veza_app_artifact_url }}"
    dest: "/tmp/veza-{{ veza_component }}-{{ veza_release_sha }}.tar.zst"
    mode: "0600"
    headers:
      Authorization: "token {{ vault_forgejo_registry_token | default('') }}"
    timeout: 60
    force: false  # don't re-download if file already present (idempotency on retries)
  tags: [veza_app, artifact]

- name: Extract tarball into the per-SHA release dir
  ansible.builtin.unarchive:
    src: "/tmp/veza-{{ veza_component }}-{{ veza_release_sha }}.tar.zst"
    dest: "{{ veza_app_release_dir }}"
    remote_src: true
    owner: "{{ veza_app_user }}"
    group: "{{ veza_app_group }}"
    creates: "{{ veza_app_release_dir }}/VERSION"
  tags: [veza_app, artifact]

- name: Verify the binary landed (kind=binary only)
  ansible.builtin.stat:
    path: "{{ veza_app_release_dir }}/{{ veza_app_binary_name }}"
  register: binary_stat
  when: veza_app_kind == 'binary'
  tags: [veza_app, artifact]

- name: Fail fast if the binary is missing or not executable
  ansible.builtin.assert:
    that:
      - binary_stat.stat.exists
      - binary_stat.stat.executable
    fail_msg: >-
      Tarball {{ veza_app_artifact_url }} extracted but
      {{ veza_app_binary_name }} is missing or not executable at
      {{ veza_app_release_dir }}. Tarball-build job is broken.
  when: veza_app_kind == 'binary'
  tags: [veza_app, artifact]

- name: Atomically swap the `current` symlink
  ansible.builtin.file:
    path: "{{ veza_app_current_link }}"
    src: "{{ veza_app_release_dir }}"
    state: link
    force: true
    owner: "{{ veza_app_user }}"
    group: "{{ veza_app_group }}"
  tags: [veza_app, artifact]

- name: Cleanup downloaded tarball
  ansible.builtin.file:
    path: "/tmp/veza-{{ veza_component }}-{{ veza_release_sha }}.tar.zst"
    state: absent
  tags: [veza_app, artifact]