---
- name: APT update + dist-upgrade (minimal + vault become)
  hosts: debians
  gather_facts: false
  become: true
  become_method: sudo

  vars:
    apt_update_timeout_seconds: 300
    apt_http_timeout_seconds: 20
    apt_force_ipv4: true

  pre_tasks:
    - name: Charger les variables vault (become_passwords)
      ansible.builtin.include_vars:
        file: "../group_vars/all/vault.yml"
        name: vault_secrets

    - name: Normaliser la map des mots de passe
      ansible.builtin.set_fact:
        _become_map: >-
          {{ vault_secrets.become_passwords
             if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
             else vault_secrets }}

    - name: Vérifier que le mot de passe existe pour l’hôte courant
      ansible.builtin.assert:
        that:
          - _become_map is mapping
          - inventory_hostname in _become_map
        fail_msg: >-
          Mot de passe manquant pour {{ inventory_hostname }}.
          Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}

    - name: Définir le mot de passe sudo (variable officielle)
      ansible.builtin.set_fact:
        ansible_become_password: "{{ _become_map[inventory_hostname] }}"
      no_log: true

  tasks:

    - name: Déployer le script MOTD personnalisé
      copy:
        src: ../sources/99-motd  # Chemin relatif depuis où tu exécutes le playbook
        dest: /etc/update-motd.d/99-motd
        owner: root
        group: root
        mode: '0755'
      become: yes