---
- name: Upgrade Debian avec become_pass dynamique (v2)
  hosts: debians
  gather_facts: false
  become: true
  become_method: sudo

  pre_tasks:
    - name: Charger les variables vault (become_passwords)
      ansible.builtin.include_vars:
        file: "../group_vars/all/vault.yml"
        name: vault_secrets

    - name: Normaliser la map des mots de passe (gère vault avec ou sans clé become_passwords)
      ansible.builtin.set_fact:
        _become_map: >-
          {{ vault_secrets.become_passwords
             if (vault_secrets is mapping and 'become_passwords' in vault_secrets)
             else vault_secrets }}

    - name: Vérifier que le mot de passe existe pour l’hôte courant
      ansible.builtin.assert:
        that:
          - _become_map is mapping
          - inventory_hostname in _become_map
        fail_msg: >-
          Mot de passe manquant pour {{ inventory_hostname }}.
          Clés disponibles: {{ _become_map.keys() | list | sort | join(', ') }}

    - name: Définir le mot de passe sudo (variable officielle)
      ansible.builtin.set_fact:
        ansible_become_password: "{{ _become_map[inventory_hostname] }}"
      no_log: true

    - name: Charger les facts système (setup)
      ansible.builtin.setup:

  tasks:
    # --------------------------------------------------------------------
    # FIX: dépôt Sury (packages.sury.org) - clé expirée (EXPKEYSIG)
    # --------------------------------------------------------------------
    - name: Détecter la présence du dépôt Sury (packages.sury.org/php)
      ansible.builtin.command: grep -Rqs packages.sury.org/php /etc/apt/sources.list /etc/apt/sources.list.d
      register: sury_present
      changed_when: false
      failed_when: false

    - name: Lister les fichiers APT contenant Sury
      ansible.builtin.shell: |
        grep -rl 'packages.sury.org/php' /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null || true
      register: sury_files
      changed_when: false
      when: sury_present.rc == 0

    - name: Installer les prérequis (curl/ca-certificates/lsb-release)
      ansible.builtin.apt:
        name:
          - curl
          - ca-certificates
          - lsb-release
        state: present
        update_cache: false
        force_apt_get: true
        lock_timeout: 600
      environment:
        DEBIAN_FRONTEND: noninteractive
      when: sury_present.rc == 0

    - name: Télécharger le keyring Sury (debsuryorg-archive-keyring)
      ansible.builtin.get_url:
        url: https://packages.sury.org/debsuryorg-archive-keyring.deb
        dest: /tmp/debsuryorg-archive-keyring.deb
        mode: "0644"
      when: sury_present.rc == 0

    - name: Installer le keyring Sury (.deb)
      ansible.builtin.apt:
        deb: /tmp/debsuryorg-archive-keyring.deb
        force_apt_get: true
        lock_timeout: 600
      environment:
        DEBIAN_FRONTEND: noninteractive
      when: sury_present.rc == 0

    - name: Commenter les anciennes lignes Sury (si présentes)
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: '^(?!#)\s*(deb(?:-src)?\s+.*packages\.sury\.org/php.*)$'
        replace: '# \1'
      loop: "{{ sury_files.stdout_lines | default([]) }}"
      when:
        - sury_present.rc == 0
        - (sury_files.stdout | default('')) | length > 0

    - name: Recréer une source Sury propre avec signed-by (fichier dédié)
      ansible.builtin.copy:
        dest: /etc/apt/sources.list.d/sury-php.list
        mode: "0644"
        content: |
          deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ {{ ansible_facts['distribution_release'] }} main
      when: sury_present.rc == 0

    # --------------------------------------------------------------------
    # APT update + debug si échec
    # --------------------------------------------------------------------
    
    - name: Mise à jour du cache APT (forcée)
      block:
        - name: apt update_cache
          ansible.builtin.apt:
            update_cache: true
            cache_valid_time: 0
            force_apt_get: true
            update_cache_retries: 5
            update_cache_retry_max_delay: 15
            lock_timeout: 600
      rescue:
        - name: Debug apt-get update
          ansible.builtin.shell: |
            apt-get update 2>&1 | tail -n 200
          args:
            executable: /bin/bash
          register: apt_update_debug
          changed_when: false
        - ansible.builtin.fail:
            msg: |
              APT update a échoué sur {{ inventory_hostname }}.
              {{ apt_update_debug.stdout }}

    # --------------------------------------------------------------------
    # Upgrade (avec option pour accepter les downgrades si tu le veux)
    # --------------------------------------------------------------------

    - name: Simulation dist-upgrade (détection downgrades)
      ansible.builtin.command: apt-get -s -o Dpkg::Use-Pty=0 dist-upgrade
      register: sim
      changed_when: false

    - name: Stopper cet hôte si downgrades détectés
      when: sim.stdout is search("DOWNGRADED")
      block:
        - debug:
            msg: |
              Downgrades détectés sur {{ inventory_hostname }} => je saute l'upgrade pour éviter un downgrade dangereux.
              Extrait:
              {{ (sim.stdout_lines | select('search','DOWNGRADED') | list) | join('\n') }}
        - meta: end_host

    - name: Upgrade des paquets (dist-upgrade) + nettoyage
      ansible.builtin.apt:
        upgrade: dist
        autoremove: true
        autoclean: true
        force_apt_get: true
        lock_timeout: 600
        dpkg_options: "force-confdef,force-confold"
        allow_downgrade: "{{ apt_allow_downgrades | default(false) }}"
      environment:
        DEBIAN_FRONTEND: noninteractive