---
# Pangolin Integration API — public HTTP resources → Newt site → Traefik (see clusters/noble/bootstrap/newt/README.md §4).
# Included only when **noble_pangolin_sync_http_resources** is true.
- name: Build Pangolin HTTP FQDN list
  ansible.builtin.set_fact:
    noble_pangolin_http_fqdns_effective: >-
      {{
        (
          noble_pangolin_http_fqdns_extra | default([])
          + (noble_authentik_ingress_extra_hosts | default([]))
          + ([noble_open_webui_public_host | trim] if (noble_open_webui_public_host | default('') | trim | length) > 0 else [])
        ) | unique | list
      }}

- name: Discover Traefik LoadBalancer IP for Pangolin targets (when not set explicitly)
  ansible.builtin.command:
    argv:
      - kubectl
      - get
      - svc
      - -n
      - traefik
      - -l
      - app.kubernetes.io/name=traefik
      - -o
      - jsonpath={.items[0].status.loadBalancer.ingress[0].ip}
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_pangolin_traefik_lb_ip
  changed_when: false
  failed_when: false
  when:
    - noble_pangolin_http_fqdns_effective | length > 0
    - noble_pangolin_traefik_target_ip | default('') | trim | length == 0

- name: Resolve Traefik IP for Pangolin sync
  ansible.builtin.set_fact:
    noble_pangolin_traefik_ip_resolved: >-
      {{
        (noble_pangolin_traefik_target_ip | default('') | trim)
        if (noble_pangolin_traefik_target_ip | default('') | trim | length > 0)
        else (noble_pangolin_traefik_lb_ip.stdout | default('') | trim)
      }}
  when: noble_pangolin_http_fqdns_effective | length > 0

- name: Require Traefik IP for Pangolin sync
  ansible.builtin.assert:
    that:
      - noble_pangolin_traefik_ip_resolved | length > 0
    fail_msg: >-
      Set **noble_pangolin_traefik_target_ip** in inventory (Traefik Service LoadBalancer / MetalLB IP), or ensure
      **kubectl** can read **traefik** Services (see **clusters/noble/bootstrap/traefik/**).
  when: noble_pangolin_http_fqdns_effective | length > 0

- name: Stat repository .env for Pangolin API credentials
  ansible.builtin.stat:
    path: "{{ noble_repo_root }}/.env"
  register: noble_pangolin_env_file
  changed_when: false
  when: noble_pangolin_http_fqdns_effective | length > 0

- name: Require .env for Pangolin Integration API secrets
  ansible.builtin.assert:
    that:
      - noble_pangolin_env_file.stat.exists | default(false)
    fail_msg: >-
      Pangolin sync needs **.env** at the repo root with **NOBLE_PANGOLIN_*** variables (see **.env.sample**).
  when: noble_pangolin_http_fqdns_effective | length > 0

- name: Sync Pangolin public HTTP resources (Integration API)
  ansible.builtin.command:
    argv:
      - python3
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/scripts/sync_pangolin_http_resources.py"
      - "--env-file"
      - "{{ noble_repo_root }}/.env"
      - "--fqdns"
      - "{{ noble_pangolin_http_fqdns_effective | join(',') }}"
      - "--traefik-ip"
      - "{{ noble_pangolin_traefik_ip_resolved }}"
      - "--traefik-port"
      - "{{ noble_pangolin_traefik_target_port | int | string }}"
  register: noble_pangolin_sync_cmd
  changed_when: >-
    '[create]' in (noble_pangolin_sync_cmd.stdout | default(''))
    or '[target]' in (noble_pangolin_sync_cmd.stdout | default(''))
    or 'target created' in (noble_pangolin_sync_cmd.stdout | default(''))
  when: noble_pangolin_http_fqdns_effective | length > 0

- name: Skip Pangolin sync (no public FQDNs configured)
  ansible.builtin.debug:
    msg: >-
      noble_pangolin_sync_http_resources is true but the FQDN list is empty
      (set **noble_authentik_ingress_extra_hosts**, **noble_open_webui_public_host**, and/or **noble_pangolin_http_fqdns_extra**).
  when: noble_pangolin_http_fqdns_effective | length == 0