---
# Bootstrap playbook for new VMs
#
# Run FIRST on newly provisioned VMs before security/nebula playbooks.
# Updates system packages and reboots if kernel changed.
#
# Usage: ansible-playbook -i inventory.ini playbooks/bootstrap.yml --limit "new-vm"

- name: Bootstrap New VMs
  hosts: all
  become: true
  tasks:
    - name: Initialize pacman keyring
      command: pacman-key --init
      args:
        creates: /etc/pacman.d/gnupg/trustdb.gpg

    - name: Populate pacman keyring with Arch Linux keys
      command: pacman-key --populate archlinux
      register: populate_result
      changed_when: "'locally signed' in populate_result.stdout"

    - name: Update archlinux-keyring package first
      community.general.pacman:
        name: archlinux-keyring
        state: latest
        update_cache: true

    - name: Get current running kernel version
      command: uname -r
      register: running_kernel
      changed_when: false

    - name: Update all packages
      community.general.pacman:
        update_cache: true
        upgrade: true
      register: update_result

    - name: Install essential packages
      community.general.pacman:
        name:
          - rsync
        state: present

    - name: Get installed kernel version
      shell: pacman -Q linux | awk '{print $2}' | sed 's/\.arch/-arch/'
      register: installed_kernel
      changed_when: false

    - name: Check if reboot is needed (kernel updated)
      set_fact:
        reboot_needed: "{{ running_kernel.stdout not in installed_kernel.stdout }}"

    - name: Display kernel status
      debug:
        msg: "Running: {{ running_kernel.stdout }}, Installed: {{ installed_kernel.stdout }}, Reboot needed: {{ reboot_needed }}"

    - name: Reboot if kernel was updated
      reboot:
        msg: "Kernel updated, rebooting"
        reboot_timeout: 300
      when: reboot_needed | bool