---
- name: Install monitoring packages (server)
  ansible.builtin.apt:
    name:
      # System monitoring
      - htop
      - iotop
      - nethogs
      - iftop
      - ncdu
      - dstat
      # Log monitoring / security
      - logwatch
      - fail2ban
      # Network monitoring
      - nmap
      - tcpdump
      # Performance monitoring
      - sysstat
      - atop
    state: present

- name: Check if btop is available in apt
  ansible.builtin.command: apt-cache policy btop
  register: monitoring_server_btop_apt_check
  changed_when: false
  failed_when: false
  when: monitoring_server_install_btop | bool

- name: Install btop from apt if available (Debian 12+)
  ansible.builtin.apt:
    name: btop
    state: present
    update_cache: false
  when:
    - monitoring_server_install_btop | bool
    - monitoring_server_btop_apt_check.rc == 0
    - "'Candidate:' in monitoring_server_btop_apt_check.stdout"
    - "'(none)' not in monitoring_server_btop_apt_check.stdout"
  failed_when: false

- name: Install btop from binary if apt not available
  when:
    - monitoring_server_install_btop | bool
    - monitoring_server_btop_apt_check.rc != 0 or "(none)" in monitoring_server_btop_apt_check.stdout
  block:
    - name: Download btop binary
      ansible.builtin.get_url:
        url: https://github.com/aristocratos/btop/releases/latest/download/btop-x86_64-linux-musl.tbz
        dest: /tmp/btop.tbz
        mode: '0644'
      failed_when: false

    - name: Extract btop
      ansible.builtin.unarchive:
        src: /tmp/btop.tbz
        dest: /tmp/
        remote_src: true
      failed_when: false

    - name: Install btop binary
      ansible.builtin.copy:
        src: /tmp/btop/bin/btop
        dest: /usr/local/bin/btop
        mode: '0755'
        remote_src: true
      failed_when: false

    - name: Clean up btop download
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /tmp/btop.tbz
        - /tmp/btop
      failed_when: false

- name: Configure fail2ban
  ansible.builtin.template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
    mode: '0644'
  notify: restart fail2ban

- name: Enable sysstat data collection
  ansible.builtin.lineinfile:
    path: /etc/default/sysstat
    regexp: '^ENABLED='
    line: 'ENABLED="true"'
  notify: restart sysstat
  when: monitoring_server_enable_sysstat | bool

- name: Create monitoring scripts directory
  ansible.builtin.file:
    path: /usr/local/bin/monitoring
    state: directory
    mode: '0755'
  when: monitoring_server_create_scripts | bool

- name: Deploy system monitoring script
  ansible.builtin.copy:
    content: |
      #!/bin/bash
      # System monitoring dashboard
      echo "=== System Overview ==="
      echo "Hostname: $(hostname)"
      echo "Uptime: $(uptime -p)"
      echo "Load: $(uptime | awk -F'load average:' '{print $2}')"
      echo ""
      echo "=== Memory ==="
      free -h
      echo ""
      echo "=== Disk Usage ==="
      df -h / /home 2>/dev/null | grep -v tmpfs
      echo ""
      echo "=== Top Processes ==="
      ps aux --sort=-%cpu | head -6
      echo ""
      echo "=== Network Connections ==="
      ss -tuln | head -10
      echo ""
      if command -v tailscale >/dev/null; then
        echo "=== Tailscale Status ==="
        tailscale status --peers=false 2>/dev/null || echo "Not connected"
      fi
    dest: /usr/local/bin/monitoring/sysinfo
    mode: '0755'
  when: monitoring_server_create_scripts | bool

- name: Deploy network monitoring script
  ansible.builtin.copy:
    content: |
      #!/bin/bash
      # Network monitoring script
      echo "=== Network Interface Status ==="
      ip addr show | grep -E "(inet |state )" | grep -v 127.0.0.1
      echo ""
      echo "=== Route Table ==="
      ip route show
      echo ""
      echo "=== DNS Configuration ==="
      cat /etc/resolv.conf | grep nameserver
      echo ""
      echo "=== Open Ports ==="
      ss -tuln | grep LISTEN | sort
    dest: /usr/local/bin/monitoring/netinfo
    mode: '0755'
  when: monitoring_server_create_scripts | bool