---
- name: Apply Security Patches and Updates
  hosts: all
  become: true
  gather_facts: true
  vars_files:
    - vars/vault.yml

  pre_tasks:
    - name: Validate patch prerequisites
      ansible.builtin.assert:
        that:
          - ansible_os_family == "Debian"
        fail_msg: "Patching supported only on Debian-based systems"

    - name: Display patch information
      ansible.builtin.debug:
        msg: |
          Patching {{ inventory_hostname }}
          Patch Window: {{ patch_window_start }} - {{ patch_window_end }}
          Security Only: {{ patch_security_only }}

  roles:
    - role: patching
      tags: ['patch', 'updates']

  post_tasks:
    - name: Display patching summary
      ansible.builtin.debug:
        msg: |
          Patching completed!
          Host: {{ inventory_hostname }}
          Reboot Required: {{ reboot_required | default(false) }}