---
# Full initial deployment of Changemaker Lite instances
# Usage: ansible-playbook playbooks/deploy.yml [--limit hostname]

- name: Deploy Changemaker Lite
  hosts: changemaker_instances
  serial: 1  # One at a time for initial deploys
  become: true

  pre_tasks:
    - name: Validate required vault variables
      ansible.builtin.assert:
        that:
          - vault_cml_v2_postgres_password is defined
          - vault_cml_v2_postgres_password != 'GENERATE_ME'
          - vault_cml_redis_password is defined
          - vault_cml_redis_password != 'GENERATE_ME'
          - vault_cml_jwt_access_secret is defined
          - vault_cml_jwt_access_secret != 'GENERATE_ME'
          - vault_cml_encryption_key is defined
          - vault_cml_encryption_key != 'GENERATE_ME'
          - vault_cml_initial_admin_password is defined
          - vault_cml_initial_admin_password != 'GENERATE_ME'
        fail_msg: >
          Required secrets not configured. Run:
          ./scripts/bootstrap-vault.sh {{ inventory_hostname }}
        quiet: true

  roles:
    - common
    - changemaker
    - role: monitoring
      when: cml_monitoring_enabled | bool

  post_tasks:
    - name: Deployment summary
      ansible.builtin.debug:
        msg: |
          Deployment complete for {{ cml_domain }}
          Admin: https://app.{{ cml_domain }}
          API:   https://api.{{ cml_domain }}
          Monitoring: {{ 'enabled' if cml_monitoring_enabled | bool else 'disabled' }}
          Bunker Ops: {{ 'Tier 2 (fleet)' if bunker_ops_enabled | bool else 'Standalone' }}