name: Ansible

on:
  push:
    branches: [main]
    paths:
      - 'ansible/**'
  workflow_dispatch:
    inputs:
      playbook:
        description: 'Playbook to run'
        required: true
        default: 'infra.yml'
        type: choice
        options:
          - infra.yml

jobs:
  ansible:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ansible

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Ansible
        run: pip install ansible

      - name: Write SSH key
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.DROPLET_SSH_KEY }}" > ~/.ssh/do
          chmod 600 ~/.ssh/do
          ssh-keyscan -H ${{ secrets.DROPLET_IP }} >> ~/.ssh/known_hosts

      - name: Write inventory
        run: |
          echo "[infra]" > inventory.ini
          echo "${{ secrets.DROPLET_IP }} ansible_user=root ansible_ssh_private_key_file=~/.ssh/do" >> inventory.ini

      - name: Write vault password
        run: echo "${{ secrets.ANSIBLE_VAULT_PASSWORD }}" > .vault_pass

      - name: Run playbook
        run: |
          ansible-playbook -i inventory.ini ${{ inputs.playbook || 'infra.yml' }} \
            --vault-password-file .vault_pass

      - name: Cleanup
        if: always()
        run: rm -f ~/.ssh/do .vault_pass