---
# ---------------------------------------------------------------------------
# System user and directories
# ---------------------------------------------------------------------------
- name: Create openclaw group
  ansible.builtin.group:
    name: "{{ openclaw_group }}"
    system: false
    state: present

- name: Create openclaw user
  ansible.builtin.user:
    name: "{{ openclaw_user }}"
    group: "{{ openclaw_group }}"
    home: "{{ openclaw_home }}"
    shell: /sbin/nologin
    system: false       # must be non-system: subuid/subgid entries required for rootless Podman
    create_home: true
    state: present

- name: Get openclaw user UID
  ansible.builtin.command:
    cmd: "id -u {{ openclaw_user }}"
  register: __openclaw_uid_result
  changed_when: false

- name: Set openclaw UID fact
  ansible.builtin.set_fact:
    __openclaw_uid: "{{ __openclaw_uid_result.stdout }}"

- name: Enable lingering for openclaw user
  ansible.builtin.command:
    cmd: "loginctl enable-linger {{ openclaw_user }}"
  register: __openclaw_linger
  changed_when: __openclaw_linger.rc == 0

- name: Enable rootless Podman socket for openclaw user
  ansible.builtin.systemd:
    name: podman.socket
    enabled: true
    state: started
    scope: user
  become: true
  become_user: "{{ openclaw_user }}"
  environment:
    XDG_RUNTIME_DIR: "/run/user/{{ __openclaw_uid }}"
    DBUS_SESSION_BUS_ADDRESS: "unix:path=/run/user/{{ __openclaw_uid }}/bus"

- name: Create OpenClaw state directory
  ansible.builtin.file:
    path: "{{ openclaw_state_dir }}"
    state: directory
    owner: "{{ openclaw_user }}"
    group: "{{ openclaw_group }}"
    mode: "0750"

# ---------------------------------------------------------------------------
# Node.js
# ---------------------------------------------------------------------------
- name: Add NodeSource apt signing key
  ansible.builtin.apt_key:
    url: "https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key"
    state: present

- name: Add NodeSource apt repository
  ansible.builtin.apt_repository:
    repo: "deb https://deb.nodesource.com/node_{{ openclaw_node_version }}.x nodistro main"
    state: present
    filename: nodesource

- name: Install Node.js
  ansible.builtin.apt:
    name: nodejs
    state: present
    update_cache: true

- name: Install pnpm globally
  community.general.npm:
    name: pnpm
    global: true
    state: present

# ---------------------------------------------------------------------------
# OpenClaw binary
# ---------------------------------------------------------------------------
- name: Install OpenClaw via npm
  community.general.npm:
    name: openclaw
    global: true
    state: "{{ 'latest' if openclaw_version == 'latest' else 'present' }}"
  notify: Restart openclaw

# ---------------------------------------------------------------------------
# Configuration
# ---------------------------------------------------------------------------
- name: Template OpenClaw config
  ansible.builtin.template:
    src: openclaw-config.yaml.j2
    dest: "{{ openclaw_state_dir }}/config.yaml"
    owner: "{{ openclaw_user }}"
    group: "{{ openclaw_group }}"
    mode: "0640"
  notify: Restart openclaw

# ---------------------------------------------------------------------------
# Systemd service with hardening
# ---------------------------------------------------------------------------
- name: Template openclaw systemd service
  ansible.builtin.template:
    src: openclaw.service.j2
    dest: /etc/systemd/system/openclaw.service
    mode: "0644"
  notify:
    - Reload systemd
    - Restart openclaw

- name: Enable and start openclaw service
  ansible.builtin.systemd:
    name: openclaw
    enabled: true
    state: started
    daemon_reload: true