---
- name: Install Gitea Actions self-hosted runners
  hosts: all
  become: true

  pre_tasks:
    - name: Assert host defines a runners matrix
      ansible.builtin.assert:
        that:
          - runners is defined
          - runners | length > 0
          - runner_env is defined
        fail_msg: "Host {{ inventory_hostname }} is missing host_vars (runners / runner_env)."

  tasks:
    - name: Ensure runner service user exists
      ansible.builtin.user:
        name: "{{ runner_user }}"
        shell: /bin/bash
        create_home: true
        home: "{{ runner_home }}"

    # JS actions (actions/checkout@v4, etc.) execute with `node` on the host
    # executor. Without it act_runner fails: "Cannot find: node in PATH".
    # git is needed by checkout for its fetch step.
    - name: Ensure git is present
      ansible.builtin.apt:
        name: git
        state: present
        update_cache: true

    - name: Install Node.js {{ node_major_version }}.x (NodeSource)
      block:
        # Key is ASCII-armored, so store it as .asc — apt reads .gpg as binary
        # and .asc as armored; a mismatch fails repo signature verification.
        - name: Add NodeSource apt key
          ansible.builtin.get_url:
            url: https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key
            dest: /usr/share/keyrings/nodesource.asc
            mode: "0644"

        - name: Add NodeSource apt repo
          ansible.builtin.apt_repository:
            repo: "deb [signed-by=/usr/share/keyrings/nodesource.asc] https://deb.nodesource.com/node_{{ node_major_version }}.x nodistro main"
            filename: nodesource

        - name: Install nodejs
          ansible.builtin.apt:
            name: nodejs
            state: present
            update_cache: true

    - name: Install runners for each project
      ansible.builtin.include_tasks: tasks/install_project.yml
      loop: "{{ runners }}"
      loop_control:
        loop_var: project_spec
        label: "{{ project_spec.project }}"

    # The build job runs `docker build` on the host, talking to the daemon via
    # /var/run/docker.sock. Without docker group membership the runner user gets
    # "permission denied ... unix:///var/run/docker.sock".
    - name: Add runner user to the docker group
      ansible.builtin.user:
        name: "{{ runner_user }}"
        groups: docker
        append: true
      register: runner_docker_group

    # Group membership is only read at process start, so already-running runner
    # services must be restarted to gain socket access.
    - name: Restart runner services to apply docker group membership
      ansible.builtin.shell: "systemctl restart 'gitea-runner-*.service'"
      when: runner_docker_group is changed
      changed_when: true