---
- name: Ensure cron is installed
  package:
    name: "{{ 'cron' if ansible_facts.os_family == 'Debian' else 'cronie' }}"
    state: present

- name: Ensure /opt/nebula directory exists
  file:
    path: /opt/nebula
    state: directory
    mode: '0755'
    owner: root
    group: root

- name: Check for existing Nebula install
  stat:
    path: '/opt/nebula/nebula'
  register: installed_nebula_stats

- name: Get Nebula version (if installed)
  command: "/opt/nebula/nebula -version"
  register: installed_nebula_version_out
  changed_when: False
  failed_when: False
  when: installed_nebula_stats.stat.exists

- name: Extract Nebula version from command output
  set_fact:
    installed_nebula_version: "{{ installed_nebula_version_out.stdout.split(' ')[1] }}"
  when: installed_nebula_stats.stat.exists

# ✅ FIX START
- name: Download Nebula archive
  get_url:
    url: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-{{ nebula_architectures[ansible_facts.architecture] }}.tar.gz"
    dest: "/tmp/nebula-{{ nebula_version }}.tar.gz"
    mode: '0644'
  when: (installed_nebula_version | default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)

- name: Extract Nebula
  unarchive:
    src: "/tmp/nebula-{{ nebula_version }}.tar.gz"
    dest: "/opt/nebula"
    remote_src: yes
  when: (installed_nebula_version | default(nebula_version) != nebula_version) or (not installed_nebula_stats.stat.exists)
  notify: restart nebula
# ✅ FIX END

- name: Ensure Nebula binaries permissions are correct
  file:
    path: "/opt/nebula/{{ item }}"
    owner: root
    group: root
    mode: '0700'
  loop:
    - nebula
    - nebula-cert

- name: Generate SSH host key for Nebula debug console
  command: ssh-keygen -t ed25519 -f /opt/nebula/ssh_host_ed25519_key -N ""
  args:
    creates: /opt/nebula/ssh_host_ed25519_key
  when: nebula_sshd_enabled

- name: Set SSH host key permissions
  file:
    path: "{{ item }}"
    owner: root
    group: root
    mode: '0600'
  loop:
    - /opt/nebula/ssh_host_ed25519_key
    - /opt/nebula/ssh_host_ed25519_key.pub
  when: nebula_sshd_enabled

- name: Read SSH key files and build registry
  block:
    - name: Read all SSH key files
      slurp:
        src: "{{ item.1 }}"
      register: ssh_key_files
      failed_when: false
      loop: "{{ nebula_sshd_authorized_users | subelements('key_files', skip_missing=True) }}"

    - name: Build SSH key registry by username
      set_fact:
        nebula_sshd_key_registry: >-
          {{ nebula_sshd_key_registry | default({}) | combine({
            result.item.0.user: (nebula_sshd_key_registry | default({})).get(result.item.0.user, []) +
            [result.content | b64decode | trim]
          }) }}
      loop: "{{ ssh_key_files.results | selectattr('content', 'defined') | list }}"
      loop_control:
        loop_var: result
  when: nebula_sshd_enabled