---
- name: Validate required password is set
  ansible.builtin.assert:
    that:
      - postgres_admin_password is defined
      - postgres_admin_password | length >= 12
    fail_msg: |
      postgres_admin_password is required (min 12 chars).
      See roles/postgres/defaults/main.yml for configuration instructions.
    success_msg: "Password validation passed"

- name: Load OS-specific variables
  ansible.builtin.include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_facts['os_family'] }}.yml"
    - debian.yml

- name: Install PostgreSQL packages
  ansible.builtin.package:
    name: "{{ postgres_packages }}"
    state: present

- name: Include OS-specific tasks
  ansible.builtin.include_tasks: "{{ ansible_facts['os_family'] | lower }}.yml"

- name: Ensure PostgreSQL config directory exists
  ansible.builtin.file:
    path: "{{ postgres_config_dir }}"
    state: directory
    owner: postgres
    group: postgres
    mode: "0750"

- name: Enable include_dir in main postgresql.conf
  ansible.builtin.lineinfile:
    path: "{{ postgres_config_path }}"
    regexp: "^#?include_dir ="
    line: "include_dir = 'conf.d'"
    state: present
  notify: Restart PostgreSQL

- name: Deploy custom PostgreSQL configuration
  ansible.builtin.template:
    src: custom.conf.j2
    dest: "{{ postgres_config_dir }}/custom.conf"
    owner: postgres
    group: postgres
    mode: "0640"
  notify: Restart PostgreSQL

- name: Deploy pg_hba.conf from template
  ansible.builtin.template:
    src: pg_hba.conf.j2
    dest: "{{ postgres_hba_path }}"
    owner: postgres
    group: postgres
    mode: "0640"
  notify: Restart PostgreSQL

- name: Setup firewall rules for PostgreSQL
  community.general.ufw:
    rule: allow
    src: "{{ item }}"
    port: "{{ postgres_port }}"
    proto: tcp
    direction: in
    comment: "PostgreSQL"
  loop: "{{ postgres_firewall_allowed_sources }}"
  retries: 5
  delay: 2
  register: ufw_result
  until: ufw_result is succeeded

- name: Enable and start PostgreSQL service
  ansible.builtin.systemd:
    name: "{{ postgres_service_name }}"
    enabled: true
    state: started

- name: Deploy logrotate configuration for PostgreSQL
  ansible.builtin.template:
    src: logrotate-postgresql.j2
    dest: /etc/logrotate.d/postgresql
    owner: root
    group: root
    mode: "0644"
  when: postgres_log_backend == 'file'

- name: Remove logrotate configuration when using journald
  ansible.builtin.file:
    path: /etc/logrotate.d/postgresql
    state: absent
  when: postgres_log_backend == 'journald'

- name: Set PostgreSQL admin user password
  community.postgresql.postgresql_user:
    name: "{{ postgres_admin_user }}"
    password: "{{ postgres_admin_password }}"
    state: present
  become: false
  become_user: "{{ postgres_admin_user }}"