---
- name: Determine root filesystem free space
  ansible.builtin.set_fact:
    cis_root_mount: "{{ ansible_mounts | selectattr('mount', 'equalto', '/') | list | first | default({}) }}"

- name: Calculate root filesystem free space in MB
  ansible.builtin.set_fact:
    cis_root_free_mb: "{{ ((cis_root_mount.size_available | default(0) | int) / 1024 / 1024) | round(0, 'floor') | int }}"

- name: Detect containerized runtime
  ansible.builtin.set_fact:
    cis_container_detected: >-
      {{
        ansible_virtualization_type | default('') in cis_container_virtualization_types
        or ansible_env.container | default('') | length > 0
      }}

- name: Check for apt
  ansible.builtin.stat:
    path: /usr/bin/apt-get
  register: cis_apt_check

- name: Report platform precheck status
  ansible.builtin.debug:
    msg:
      - "OK: Facts gathered for {{ ansible_distribution }} {{ ansible_distribution_version }}."
      - "OK: Root filesystem free space is {{ cis_root_free_mb }} MB."
      - >-
        {{ 'OK: apt package manager detected.'
           if cis_apt_check.stat.exists else 'CRITICAL: apt package manager was not found.' }}
      - >-
        {{ 'OK: systemd service manager detected.'
           if ansible_service_mgr == 'systemd' else 'CRITICAL: systemd service manager is required.' }}
      - >-
        {{ 'WARNING: Containerized environment detected; service and kernel controls may be limited.'
           if cis_container_detected else 'OK: No containerized runtime detected from Ansible facts.' }}

- name: Fail when operating system is unsupported
  ansible.builtin.assert:
    that:
      - >-
        (ansible_distribution == 'Debian'
        and ansible_distribution_major_version == cis_supported_debian_major_version)
        or
        (ansible_distribution == 'Ubuntu'
        and ansible_distribution_version is version(cis_supported_ubuntu_version, '=='))
    fail_msg: >-
      CRITICAL: This role supports only Debian 13 / Trixie and Ubuntu Server 26.04 LTS.
      Detected {{ ansible_distribution }} {{ ansible_distribution_version }}.
    success_msg: "OK: Supported Debian/Ubuntu platform detected."

- name: Fail when systemd is unavailable
  ansible.builtin.assert:
    that:
      - ansible_service_mgr == 'systemd'
    fail_msg: "CRITICAL: systemd is required for this operational hardening role."
    success_msg: "OK: systemd is available."

- name: Fail when apt is unavailable
  ansible.builtin.assert:
    that:
      - cis_apt_check.stat.exists
    fail_msg: "CRITICAL: apt-get is required for this Debian/Ubuntu hardening role."
    success_msg: "OK: apt-get is available."

- name: Fail when root filesystem free space is below safety threshold
  ansible.builtin.assert:
    that:
      - cis_root_free_mb | int >= cis_min_root_free_mb | int
    fail_msg: >-
      CRITICAL: Root filesystem has {{ cis_root_free_mb }} MB free.
      Minimum required free space is {{ cis_min_root_free_mb }} MB.
    success_msg: "OK: Root filesystem free space meets the safety threshold."