---
- name: Upgrade Debian avec become_pass dynamique (v2)
  hosts: all
  gather_facts: false
  become: true
  become_method: sudo

  pre_tasks:
    - name: Charger les variables vault (become_passwords)
      ansible.builtin.include_vars:
        file: "../group_vars/all/vault.yml"
        name: vault_secrets

    - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
      ansible.builtin.set_fact:
        _become_map: >-
          {{ vault_secrets.become_passwords
             if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
             else vault_secrets }}

    - name: Vérifier que le mot de passe existe pour l’hôte courant
      ansible.builtin.assert:
        that:
          - _become_map is mapping
          - inventory_hostname in _become_map
        fail_msg: >-
          Mot de passe manquant pour {{ inventory_hostname }}.
          Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}

    - name: Définir le mot de passe sudo (variable officielle)
      ansible.builtin.set_fact:
        ansible_become_password: "{{ _become_map[inventory_hostname] }}"
      no_log: true

    - name: Charger les facts système (setup)
      ansible.builtin.setup:

  tasks:
    - name: Mise à jour du cache APT
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600

    - name: Upgrade des paquets (dist-upgrade) + nettoyage
      ansible.builtin.apt:
        upgrade: dist
        autoremove: true
        autoclean: true

  # Optionnel : pour limiter le run à ton groupe via la CLI:
  # Exécution conseillée :
  # ansible-playbook -i inventory/inventory.ini playbooks/apt-upgrade_v2.yml --ask-vault-pass -l debians