ansible/roles/applications/tasks/main.yml

---
- name: Remove NodeSource repository to prevent GPG errors
  ansible.builtin.shell: |
    # Remove NodeSource repository file
    rm -f /etc/apt/sources.list.d/nodesource.list
    # Remove NodeSource key file
    rm -f /etc/apt/keyrings/nodesource.gpg
    # Remove from sources.list if present
    sed -i '/nodesource/d' /etc/apt/sources.list 2>/dev/null || true
    # Remove any cached InRelease files
    rm -f /var/lib/apt/lists/*nodesource* 2>/dev/null || true
    rm -f /var/lib/apt/lists/partial/*nodesource* 2>/dev/null || true
  become: true
  ignore_errors: true
  changed_when: false

- name: Check if applications are already installed
  ansible.builtin.package_facts:
    manager: apt

- name: Check if Brave browser is installed
  ansible.builtin.command: brave-browser --version
  register: applications_brave_check
  ignore_errors: true
  changed_when: false
  failed_when: false
  no_log: true

- name: Set installation conditions
  ansible.builtin.set_fact:
    applications_desktop_apps_needed: "{{ ['redshift', 'libreoffice', 'evince'] | difference(ansible_facts.packages.keys()) | length > 0 }}"
    applications_brave_needs_install: "{{ applications_brave_check.rc != 0 or 'brave-browser' not in ansible_facts.packages }}"

- name: Check if Brave GPG key exists and is correct
  ansible.builtin.shell: |
    if [ -f /usr/share/keyrings/brave-browser-archive-keyring.gpg ]; then
      if file /usr/share/keyrings/brave-browser-archive-keyring.gpg | grep -q "PGP"; then
        echo "correct_key"
      else
        echo "wrong_key"
      fi
    else
      echo "not_exists"
    fi
  register: brave_key_check
  failed_when: false
  changed_when: false
  when: applications_brave_needs_install

- name: Check if Brave repository exists and is correct
  ansible.builtin.shell: |
    if [ -f /etc/apt/sources.list.d/brave-browser.list ]; then
      if grep -q "deb \[signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg\]" /etc/apt/sources.list.d/brave-browser.list; then
        echo "correct_config"
      else
        echo "wrong_config"
      fi
    else
      echo "not_exists"
    fi
  register: brave_repo_check
  failed_when: false
  changed_when: false
  when: applications_brave_needs_install

- name: Clean up duplicate Brave repository files
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/apt/sources.list.d/brave-browser.list
    - /etc/apt/sources.list.d/brave-browser-release.sources
  become: true
  failed_when: false
  when:
    - applications_brave_needs_install
    - brave_repo_check.stdout == "wrong_config"

- name: Remove incorrect Brave GPG key
  ansible.builtin.file:
    path: /usr/share/keyrings/brave-browser-archive-keyring.gpg
    state: absent
  become: true
  when:
    - applications_brave_needs_install
    - brave_key_check.stdout == "wrong_key"

- name: Install desktop applications
  ansible.builtin.apt:
    name:
      - redshift
      - libreoffice
      - evince
    state: present
  when: applications_desktop_apps_needed

- name: Brave browser installation
  when: applications_brave_needs_install
  block:
    - name: Download Brave APT key only if needed
      ansible.builtin.get_url:
        url: https://brave-browser-apt-release.s3.brave.com/brave-browser-archive-keyring.gpg
        dest: /usr/share/keyrings/brave-browser-archive-keyring.gpg
        mode: '0644'
      when: brave_key_check.stdout in ["not_exists", "wrong_key"]

    - name: Add Brave repository only if needed
      ansible.builtin.apt_repository:
        repo: "deb [signed-by=/usr/share/keyrings/brave-browser-archive-keyring.gpg] https://brave-browser-apt-release.s3.brave.com/ stable main"
        filename: brave-browser
        state: present
        update_cache: false
      when: brave_repo_check.stdout in ["not_exists", "wrong_config"]

    - name: Update apt cache after adding Brave repository (ignore NodeSource errors)
      ansible.builtin.shell: |
        apt-get update 2>&1 | grep -v "nodesource\|NO_PUBKEY.*2F59B5F99B1BE0B4" || true
      become: true
      ignore_errors: true
      when: brave_repo_check.stdout in ["not_exists", "wrong_config"]

    - name: Install Brave browser
      ansible.builtin.apt:
        name: brave-browser
        state: present

- name: Display application status
  ansible.builtin.debug:
    msg:
      - "Desktop apps needed: {{ applications_desktop_apps_needed }}"
      - "Brave needed: {{ applications_brave_needs_install }}"
      - "Redshift: {{ 'Installed' if 'redshift' in ansible_facts.packages else 'Missing' }}"
      - "LibreOffice: {{ 'Installed' if 'libreoffice' in ansible_facts.packages else 'Missing' }}"
      - "Evince: {{ 'Installed' if 'evince' in ansible_facts.packages else 'Missing' }}"
      - "Brave: {{ applications_brave_check.stdout if applications_brave_check.rc == 0 else 'Not installed' }}"
  when: ansible_debug_output | default(false) | bool