---
- name: Skip Newt when not enabled
  ansible.builtin.debug:
    msg: "noble_newt_install is false — set PANGOLIN_ENDPOINT, NEWT_ID, NEWT_SECRET in repo .env (or create the Secret manually) and set noble_newt_install=true to deploy Newt."
  when: not (noble_newt_install | bool)
  tags: [newt]

- name: Deploy Newt (Pangolin tunnel) and optional Pangolin HTTP resource sync
  when: noble_newt_install | bool
  tags: [newt, pangolin]
  block:
    - name: Create Newt namespace
      ansible.builtin.command:
        argv:
          - kubectl
          - apply
          - -f
          - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/namespace.yaml"
      environment:
        KUBECONFIG: "{{ noble_kubeconfig }}"
      changed_when: true

    - name: Apply Newt Pangolin auth Secret from repository .env (optional)
      ansible.builtin.include_tasks: from_env.yml

    - name: Install Newt chart
      ansible.builtin.command:
        argv:
          - helm
          - upgrade
          - --install
          - newt
          - fossorial/newt
          - --namespace
          - newt
          - --version
          - "1.5.0"
          - -f
          - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/values.yaml"
          - --force-conflicts
          - --wait
      environment:
        KUBECONFIG: "{{ noble_kubeconfig }}"
      changed_when: true

    - name: Optional Pangolin Integration API (HTTP resources + Traefik targets)
      ansible.builtin.include_tasks: pangolin_sync.yml
      when: noble_pangolin_sync_http_resources | default(false) | bool