---
# Bootstraps a fresh Appwrite instance:
#   1. Creates the console admin user
#   2. Creates the BAB project
#   3. Registers web platforms (CORS allowed origins)
#   4. Generates an Ansible automation API key
#   5. Stores the API key secret in Vault at kv/oys/bab-appwrite-api-key
#
# Run once per environment after install_appwrite.yml.
# Safe to re-run: account and project creation tolerate 409.
# Platform and API key creation are NOT idempotent — re-running creates
# duplicates. Delete stale entries from the console.
#
# Required vars (from inventory):
#   appwrite_domain        - e.g. appwrite.toal.ca (used to build admin URL)
#   appwrite_project       - project ID to create
#   appwrite_project_name  - human-readable project name (default: BAB)
#   appwrite_web_platforms - list of {name, hostname} dicts for CORS origins
#
# Note: uses appwrite_domain directly, not appwrite_admin_uri, because
# appwrite_admin_uri may point to an app-layer proxy (e.g. nginx) that
# does not expose the Appwrite admin/console endpoints.

- name: Bootstrap Appwrite — Admin, Project, and API Key
  hosts: appwrite
  gather_facts: false

  vars:
    appwrite_admin_uri: "https://{{ appwrite_domain }}/v1"

  tasks:
    - name: Read admin credentials from Vault
      community.hashi_vault.vault_kv2_get:
        path: oys/bab_admin
        engine_mount_point: kv
      register: vault_admin
      no_log: true
      delegate_to: localhost

    - name: Create Appwrite console admin account
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/account"
        method: POST
        body_format: json
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
        body:
          userId: "{{ appwrite_admin_user_id | default('bab-admin') }}"
          email: "{{ vault_admin.secret.bab_admin_user }}"
          password: "{{ vault_admin.secret.bab_admin_password }}"
        status_code: [201, 409, 501]
        return_content: true
      delegate_to: localhost
      no_log: true

    - name: Create admin session
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/account/sessions/email"
        method: POST
        body_format: json
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
        body:
          email: "{{ vault_admin.secret.bab_admin_user }}"
          password: "{{ vault_admin.secret.bab_admin_password }}"
        status_code: [201]
        return_content: true
      register: admin_session
      delegate_to: localhost
      no_log: false

    - name: Create JWT from admin session
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/account/jwt"
        method: POST
        body_format: json
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
          Cookie: "{{ admin_session.cookies_string }}"
        status_code: [201]
        return_content: true
      register: admin_jwt
      delegate_to: localhost
      no_log: true

    - name: Get admin user teams
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/teams"
        method: GET
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
          X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
        status_code: [200]
        return_content: true
      register: admin_teams
      delegate_to: localhost

    - name: Create BAB project
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/projects"
        method: POST
        body_format: json
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
          X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
        body:
          projectId: "{{ appwrite_project }}"
          name: "{{ appwrite_project_name | default('BAB') }}"
          teamId: "{{ admin_teams.json.teams[0]['$id'] }}"
          region: default
        status_code: [201, 409]
        return_content: true
      delegate_to: localhost
      no_log: false

    - name: Register web platforms (CORS allowed origins)
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/projects/{{ appwrite_project }}/platforms"
        method: POST
        body_format: json
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
          X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
        body:
          type: web
          name: "{{ item.name }}"
          hostname: "{{ item.hostname }}"
        status_code: [201]
        return_content: true
      loop: "{{ appwrite_web_platforms | default([]) }}"
      delegate_to: localhost

    - name: Create Ansible automation API key
      ansible.builtin.uri:
        url: "{{ appwrite_admin_uri }}/projects/{{ appwrite_project }}/keys"
        method: POST
        body_format: json
        headers:
          X-Appwrite-Project: console
          X-Appwrite-Response-Format: "1.6"
          X-Appwrite-JWT: "{{ admin_jwt.json.jwt }}"
        body:
          name: ansible-automation
          scopes:
            - databases.read
            - databases.write
            - collections.read
            - collections.write
            - attributes.read
            - attributes.write
            - indexes.read
            - indexes.write
            - documents.read
            - documents.write
            - users.read
            - users.write
        status_code: [201]
        return_content: true
      register: api_key
      delegate_to: localhost
      no_log: true

    - name: Store API key secret in Vault
      community.hashi_vault.vault_kv2_write:
        path: oys/bab-appwrite-api-key
        engine_mount_point: kv
        data:
          appwrite_api_key: "{{ api_key.json.secret }}"
      delegate_to: localhost
      no_log: true