---
- name: Check if Tailscale is already installed
  ansible.builtin.command: tailscale version
  register: tailscale_version_check
  failed_when: false
  changed_when: false

- name: Check if Tailscale GPG key exists and is correct
  ansible.builtin.shell: |
    if [ -f /usr/share/keyrings/tailscale-archive-keyring.gpg ]; then
      if file /usr/share/keyrings/tailscale-archive-keyring.gpg | grep -q "PGP"; then
        echo "correct_key"
      else
        echo "wrong_key"
      fi
    else
      echo "not_exists"
    fi
  register: tailscale_key_check
  failed_when: false
  when: tailscale_version_check.rc != 0

- name: Check if Tailscale repository exists and is correct
  ansible.builtin.shell: |
    if [ -f /etc/apt/sources.list.d/tailscale.list ]; then
      if grep -q "deb \[signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg\]" /etc/apt/sources.list.d/tailscale.list; then
        echo "correct_config"
      else
        echo "wrong_config"
      fi
    else
      echo "not_exists"
    fi
  register: tailscale_repo_check
  failed_when: false
  when: tailscale_version_check.rc != 0

- name: Remove incorrect Tailscale GPG key
  ansible.builtin.file:
    path: /usr/share/keyrings/tailscale-archive-keyring.gpg
    state: absent
  become: true
  when:
    - tailscale_version_check.rc != 0
    - tailscale_key_check.stdout == "wrong_key"

- name: Remove incorrect Tailscale repository
  ansible.builtin.file:
    path: /etc/apt/sources.list.d/tailscale.list
    state: absent
  become: true
  when:
    - tailscale_version_check.rc != 0
    - tailscale_repo_check.stdout == "wrong_config"

- name: Add Tailscale GPG key only if needed
  ansible.builtin.get_url:
    url: https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg
    dest: /usr/share/keyrings/tailscale-archive-keyring.gpg
    mode: '0644'
  become: true
  when:
    - tailscale_version_check.rc != 0
    - tailscale_key_check.stdout in ["not_exists", "wrong_key"]

- name: Determine repository codename
  ansible.builtin.set_fact:
    tailscale_repo_codename: "{{ 'jammy' if ansible_distribution == 'Ubuntu' else 'bookworm' }}"
  when: tailscale_version_check.rc != 0

- name: Add Tailscale repository only if needed
  ansible.builtin.apt_repository:
    repo: >-
      deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg]
      https://pkgs.tailscale.com/stable/{{ 'ubuntu' if ansible_distribution == 'Ubuntu' else 'debian' }}
      {{ tailscale_repo_codename }} main
    state: present
    filename: tailscale
  become: true
  when:
    - tailscale_version_check.rc != 0
    - tailscale_repo_check.stdout in ["not_exists", "wrong_config"]

- name: Update apt cache
  ansible.builtin.apt:
    update_cache: true
  become: true
  when: tailscale_version_check.rc != 0

- name: Install Tailscale
  ansible.builtin.apt:
    name: tailscale
    state: present
  become: true
  when: tailscale_version_check.rc != 0
  notify: Start tailscaled

- name: Enable and start Tailscale daemon
  ansible.builtin.systemd:
    name: tailscaled
    enabled: true
    state: started
  become: true
  when: tailscale_version_check.rc != 0