---
- name: Validate decommissioning requirements
  ansible.builtin.assert:
    that:
      - backup_data or not backup_data
    fail_msg: "Invalid decommissioning configuration"

- name: Pre-decommissioning checks
  block:
    - name: Check node health
      ansible.builtin.uri:
        url: http://localhost/health
        method: GET
        status_code: 200
      register: health_check
      failed_when: false
      ignore_errors: true
      when: "'webservers' in group_names"

    - name: Create decommissioning backup directory
      ansible.builtin.file:
        path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}"
        state: directory
        mode: '0755'

    - name: Initialize decommissioning log
      ansible.builtin.file:
        path: "/var/log/decommission.log"
        state: touch
        mode: '0644'
        modification_time: now
        access_time: now

    - name: Log decommissioning start
      ansible.builtin.lineinfile:
        path: "/var/log/decommission.log"
        line: "{{ ansible_date_time.iso8601 }} - Starting decommissioning of {{ inventory_hostname }}"
        state: present

- name: Graceful application shutdown
  block:
    - name: Stop application services
      ansible.builtin.service:
        name: "{{ item }}"
        state: stopped
      loop: "{{ application_services }}"
      failed_when: false
      when: graceful_shutdown

    - name: Wait for connections to drain
      ansible.builtin.pause:
        seconds: 30
      when: graceful_shutdown and ("webservers" in group_names or "loadbalancers" in group_names)

- name: Export and backup data
  block:
    - name: Create config export directory
      ansible.builtin.file:
        path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/config"
        state: directory
        mode: '0755'

    - name: Archive system configuration
      community.general.archive:
        path: "{{ config_paths }}"
        dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/config/system_config.tar.gz"
        format: gz
      when: export_config
      failed_when: false  # noqa risky-file-permissions

    - name: Create data backup directory
      ansible.builtin.file:
        path: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data"
        state: directory
        mode: '0755'
      when: backup_data

    - name: Backup individual data paths
      community.general.archive:
        path: "{{ item }}"
        dest: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}/data/{{ item | regex_replace('/', '_') }}.tar.gz"
        format: gz
      loop: "{{ data_paths }}"
      when: backup_data
      failed_when: false  # noqa risky-file-permissions

- name: Update monitoring and load balancing
  block:
    - name: Remove from load balancer
      ansible.builtin.debug:
        msg: "Would remove {{ inventory_hostname }} from load balancer"
      when: "'webservers' in group_names or 'databases' in group_names"

    - name: Update monitoring alerts
      ansible.builtin.debug:
        msg: "Would update monitoring alerts for {{ inventory_hostname }}"
      when: "'monitoring' not in group_names"

- name: Clean up application
  block:
    - name: Remove application directories
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /opt/application
        - /var/www/html
        - /var/lib/postgresql
        - /var/lib/prometheus
      failed_when: false

    - name: Remove application packages
      ansible.builtin.apt:
        name: "{{ item }}"
        state: absent
        purge: true
      loop: "{{ application_packages }}"
      failed_when: false

    - name: Clean system logs
      ansible.builtin.shell: |
        set -o pipefail
        find /var/log -name "*.log" -type f -size +0 -exec truncate -s 0 {} \;
      changed_when: false
      failed_when: false

    - name: Remove SSH credentials
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /root/.ssh/authorized_keys
        - /root/.ssh/known_hosts
        - /home/infra-admin/.ssh/authorized_keys
      failed_when: false

- name: Generate decommissioning report
  ansible.builtin.template:
    src: decommission_report.j2
    dest: "/var/log/decommission_report_{{ ansible_date_time.iso8601 }}.log"
    mode: '0644'
  vars:
    backup_location: "/var/backups/decommission-{{ ansible_date_time.iso8601 }}"

- name: Send decommissioning notification
  community.general.mail:
    host: localhost
    port: 25
    to: "{{ decommission_notification_email }}"
    subject: "Node Decommissioned - {{ inventory_hostname }}"
    body: |
      Node {{ inventory_hostname }} has been successfully decommissioned.

      Backup location: /var/backups/decommission-{{ ansible_date_time.iso8601 }}/
      Services stopped: {{ application_services | join(', ') }}
      Configuration exported: {{ export_config }}
      Data backed up: {{ backup_data }}

      See /var/log/decommission_report_{{ ansible_date_time.iso8601 }}.log for details
  when: decommission_notification_email is defined
  failed_when: false

- name: Finalize decommissioning
  block:
    - name: Log decommissioning completion
      ansible.builtin.lineinfile:
        path: "/var/log/decommission.log"
        line: "{{ ansible_date_time.iso8601 }} - Decommissioning completed for {{ inventory_hostname }}"
        state: present

    - name: Perform system shutdown
      ansible.builtin.reboot:
        msg: "System scheduled for shutdown after decommissioning"
        delay: "{{ shutdown_delay }}"
      when: auto_shutdown | bool
      async: 1
      poll: 0