---
# NetBird agent enrollment (ADR-016). Additive only — no firewall change here.
- name: Install NetBird apt prerequisites
  ansible.builtin.apt:
    name: [ca-certificates, curl, gnupg]
    state: present
    update_cache: true
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Ensure /etc/apt/keyrings exists
  ansible.builtin.file:
    path: /etc/apt/keyrings
    state: directory
    mode: "0755"
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Add the NetBird APT GPG key
  ansible.builtin.get_url:
    url: https://pkgs.netbird.io/debian/public.key
    dest: /etc/apt/keyrings/netbird.asc
    mode: "0644"
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Add the NetBird APT repository
  ansible.builtin.apt_repository:
    repo: >-
      deb [signed-by=/etc/apt/keyrings/netbird.asc]
      https://pkgs.netbird.io/debian stable main
    filename: netbird
    state: present
  when: base__mesh_manage | bool
  tags: [mesh]

# The apt pin string can't be confirmed from docs — it might be a bare "0.72.4" or
# carry a packaging suffix. The live deploy task confirms the exact on-host string.
- name: Install the NetBird agent (pinned)
  ansible.builtin.apt:
    name: "netbird={{ base__mesh_version }}"
    state: present
    update_cache: true
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Check current NetBird connection status
  ansible.builtin.command: netbird status
  register: _netbird_status
  changed_when: false
  failed_when: false
  when: base__mesh_manage | bool
  tags: [mesh]

- name: Enrol this host in the mesh
  ansible.builtin.command: >-
    netbird up
    --management-url {{ base__mesh_management_url }}
    --setup-key {{ base__mesh_setup_key }}
  register: _netbird_up
  changed_when: _netbird_up.rc == 0
  when:
    - base__mesh_manage | bool
    - "'Management: Connected' not in (_netbird_status.stdout | default(''))"
  no_log: true   # setup key is on the argv
  tags: [mesh]

- name: Pin the NetBird coordinator FQDN in /etc/hosts (DNS-resilience, ADR-016 availability / R8)
  ansible.builtin.lineinfile:
    path: /etc/hosts
    regexp: '\s{{ _coordinator_fqdn | regex_escape }}$'
    line: "{{ base__mesh_coordinator_pin }} {{ _coordinator_fqdn }}"
    state: present
    unsafe_writes: true   # /etc/hosts is a bind mount in Docker; atomic rename is impossible
  vars:
    _coordinator_fqdn: "{{ base__mesh_management_url | regex_replace('^https?://', '') | regex_replace('[:/].*', '') }}"
  when:
    - base__mesh_enabled | bool
    - base__mesh_coordinator_pin | length > 0
  tags: [mesh]