---
# Proxmox LXC container provisioning via API.
#
# This uses `community.proxmox.proxmox` because it is widely available and
# supports idempotent updates via `update: true`.

- name: Build LXC netif configuration
  ansible.builtin.set_fact:
    lxc_netif_config:
      # IMPORTANT: Proxmox requires net0 to be a single comma-delimited string.
      # Avoid folded YAML blocks here (they can introduce newlines/spaces).
      net0: >-
        {{
          (
            ['name=eth0', 'bridge=' ~ lxc_network_bridge, 'firewall=1']
            + (['ip=' ~ lxc_ip] if (lxc_ip is defined and (lxc_ip | string | length) > 0) else [])
            + (['gw=' ~ lxc_gateway] if (lxc_gateway is defined and (lxc_gateway | string | length) > 0) else [])
          ) | join(',')
        }}

- name: Ensure LXC container is present (create or update)
  community.proxmox.proxmox:
    api_host: "{{ proxmox_host }}"
    api_port: "{{ proxmox_api_port | default(8006) }}"
    validate_certs: "{{ proxmox_validate_certs | default(false) }}"
    api_user: "{{ proxmox_user }}"
    api_password: "{{ vault_proxmox_password | default(omit) }}"
    # Only pass token params when they are set (avoid empty-string triggering required-together errors)
    api_token_id: "{{ proxmox_token_id | default(omit, true) }}"
    api_token_secret: "{{ vault_proxmox_token | default(omit, true) }}"

    node: "{{ proxmox_node }}"
    vmid: "{{ lxc_vmid | default(omit) }}"
    hostname: "{{ lxc_hostname }}"

    ostemplate: "{{ lxc_ostemplate }}"
    unprivileged: "{{ lxc_unprivileged | bool }}"
    features: "{{ lxc_features_list | default(omit) }}"

    cores: "{{ lxc_cores }}"
    memory: "{{ lxc_memory_mb }}"
    swap: "{{ lxc_swap_mb }}"

    # rootfs sizing (GiB). disk_volume is less version-sensitive than string `disk`.
    disk_volume:
      storage: "{{ lxc_storage }}"
      size: "{{ lxc_rootfs_size_gb }}"

    netif: "{{ lxc_netif_config }}"
    nameserver: "{{ lxc_nameserver | default(omit) }}"

    # Bootstrap root SSH access (used by Ansible until appuser exists).
    pubkey: "{{ lxc_pubkey | default(omit) }}"
    password: "{{ vault_lxc_root_password | default(omit) }}"

    update: true
    state: present
  register: lxc_present

- name: Ensure LXC container is started
  community.proxmox.proxmox:
    api_host: "{{ proxmox_host }}"
    api_port: "{{ proxmox_api_port | default(8006) }}"
    validate_certs: "{{ proxmox_validate_certs | default(false) }}"
    api_user: "{{ proxmox_user }}"
    api_password: "{{ vault_proxmox_password | default(omit) }}"
    api_token_id: "{{ proxmox_token_id | default(omit, true) }}"
    api_token_secret: "{{ vault_proxmox_token | default(omit, true) }}"
    node: "{{ proxmox_node }}"
    vmid: "{{ lxc_vmid | default(omit) }}"
    state: started
  when: lxc_start_after_create | bool

- name: Display LXC provisioning results
  ansible.builtin.debug:
    msg: |
      LXC Present: {{ lxc_hostname }} (VMID: {{ lxc_vmid }})
      Cores: {{ lxc_cores }}
      Memory: {{ lxc_memory_mb }}MB (swap {{ lxc_swap_mb }}MB)
      RootFS: {{ lxc_storage }}:{{ lxc_rootfs_size_gb }}
      Net: {{ lxc_network_bridge }} / {{ lxc_ip | default('dhcp/unspecified') }}
      Changed: {{ lxc_present.changed | default(false) }}