---
- name: Verify vaultwarden role
  hosts: localhost
  gather_facts: false
  vars:
    vaultwarden_data_dir: /tmp/sovereign_test/vaultwarden
    vaultwarden_domain: vault.test.example.com
    vaultwarden_admin_token: test_vaultwarden_admin_token
    vaultwarden_version: latest

  tasks:
    - name: Check vaultwarden data directory exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/vaultwarden"
      register: data_dir_stat

    - name: Assert vaultwarden data directory is present
      ansible.builtin.assert:
        that: data_dir_stat.stat.isdir
        fail_msg: "Data directory /tmp/sovereign_test/vaultwarden was not created"

    - name: Check docker-compose.yml exists
      ansible.builtin.stat:
        path: "/tmp/sovereign_test/vaultwarden/docker-compose.yml"
      register: compose_stat

    - name: Assert docker-compose.yml was rendered
      ansible.builtin.assert:
        that: compose_stat.stat.exists
        fail_msg: "docker-compose.yml was not rendered for vaultwarden"

    - name: Read docker-compose.yml
      ansible.builtin.slurp:
        src: "/tmp/sovereign_test/vaultwarden/docker-compose.yml"
      register: compose_raw

    - name: Set compose content fact
      ansible.builtin.set_fact:
        compose: "{{ compose_raw.content | b64decode }}"

    - name: Assert vaultwarden server image is present
      ansible.builtin.assert:
        that: "'vaultwarden/server' in compose"
        fail_msg: "vaultwarden/server image not found in docker-compose.yml"

    - name: Assert vaultwarden domain traefik rule is present
      ansible.builtin.assert:
        that: "'Host(`vault.test.example.com`)' in compose"
        fail_msg: "Traefik rule for vault.test.example.com not found in docker-compose.yml"

    - name: Assert admin token is present in compose
      ansible.builtin.assert:
        that: "'test_vaultwarden_admin_token' in compose"
        fail_msg: "vaultwarden_admin_token not found in docker-compose.yml"

    - name: Assert GELF logging address is present
      ansible.builtin.assert:
        that: "'udp://127.0.0.1:12201' in compose"
        fail_msg: "GELF logging address udp://127.0.0.1:12201 not found in docker-compose.yml"

    - name: Assert sovereign network is external
      ansible.builtin.assert:
        that: "'external: true' in compose"
        fail_msg: "external: true not found in docker-compose.yml networks section"