---
- name: Determine root filesystem free space
  ansible.builtin.set_fact:
    cis_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"

- name: Calculate root filesystem free space in MB
  ansible.builtin.set_fact:
    cis_root_free_mb: "{{ ((cis_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"

- name: Detect containerized runtime
  ansible.builtin.set_fact:
    cis_container_detected: >-
      {{
        ansible_virtualization_type | default('') in cis_container_virtualization_types
        or ansible_env.container | default('') | length > 0
      }}

- name: Report platform precheck status
  ansible.builtin.debug:
    msg:
      - "OK: Facts gathered for {{ ansible_distribution }} {{ ansible_distribution_version }}."
      - "OK: Root filesystem free space is {{ cis_root_free_mb }} MB."
      - >-
        {{ 'WARNING: Containerized environment detected; service and kernel controls may be limited.'
           if cis_container_detected else 'OK: No containerized runtime detected from Ansible facts.' }}
      - >-
        {{ 'OK: systemd service manager detected.'
           if ansible_service_mgr == 'systemd' else 'CRITICAL: systemd service manager is required.' }}

- name: Fail when operating system is unsupported
  ansible.builtin.assert:
    that:
      - ansible_distribution in cis_supported_distributions
      - ansible_distribution_major_version == cis_supported_major_version
    fail_msg: >-
      CRITICAL: This role supports only RHEL 9 / Oracle Linux 9 compatible systems.
      Detected {{ ansible_distribution }} {{ ansible_distribution_version }}.
    success_msg: "OK: Supported RHEL 9 compatible platform detected."

- name: Fail when systemd is unavailable
  ansible.builtin.assert:
    that:
      - ansible_service_mgr == 'systemd'
    fail_msg: "CRITICAL: systemd is required for this operational hardening role."
    success_msg: "OK: systemd is available."

- name: Fail when root filesystem free space is below safety threshold
  ansible.builtin.assert:
    that:
      - cis_root_free_mb | int >= cis_min_root_free_mb | int
    fail_msg: >-
      CRITICAL: Root filesystem has {{ cis_root_free_mb }} MB free.
      Minimum required free space is {{ cis_min_root_free_mb }} MB.
    success_msg: "OK: Root filesystem free space meets the safety threshold."