---
- name: Disk Partitions | PRELIM | Ensure baseline_home_luks_passphrase is defined
  ansible.builtin.assert:
    that:
      - baseline_home_luks_passphrase is defined
    msg: "Variable 'baseline_home_luks_passphrase' must be defined."

- name: Disk Partitions | PRELIM | Ensure baseline_second_disk_device is defined
  ansible.builtin.assert:
    that:
      - baseline_second_disk_device is defined
    msg: "Variable 'baseline_second_disk_device' must be defined."

- name: Disk Partitions | PATCH | Ensure lvm2 is installed
  ansible.builtin.package:
    name: lvm2
    state: present

- name: Disk Partitions | PATCH | Create LVM partition spanning entire disk
  community.general.parted:
    device: "{{ baseline_second_disk_device }}"
    number: 1
    flags: [ lvm ]
    state: present
    part_start: "0%"
    part_end: "100%"

- name: Disk Partitions | PATCH | Create volume group
  community.general.lvg:
    vg: "{{ baseline_second_disk_vg_name }}"
    pvs: "{{ baseline_second_disk_device }}1"

- name: Disk Partitions | PATCH | Create /var logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var
    size: "{{ baseline_second_disk_var_size }}"

- name: Disk Partitions | PATCH | Create /var/log logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var_log
    size: "{{ baseline_second_disk_var_log_size }}"

- name: Disk Partitions | PATCH | Create /var/log/audit logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var_log_audit
    size: "{{ baseline_second_disk_var_log_audit_size }}"

- name: Disk Partitions | PATCH | Create /var/tmp logical volume
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: var_tmp
    size: "{{ baseline_second_disk_var_tmp_size }}"

- name: Disk Partitions | PATCH | Create /home logical volume with remaining space
  community.general.lvol:
    vg: "{{ baseline_second_disk_vg_name }}"
    lv: home
    shrink: false  # make idempotent
    size: "100%FREE"

- name: Disk Partitions | PATCH | Ensure cryptsetup is installed
  ansible.builtin.package:
    name: cryptsetup
    state: present

- name: Disk Partitions | PATCH | Encrypt /home with LUKS2 and provided passphrase
  community.crypto.luks_device:
    device: "/dev/{{ baseline_second_disk_vg_name }}/home"
    state: present
    passphrase: "{{ baseline_home_luks_passphrase }}"
    type: luks2

- name: Disk Partitions | PATCH | Open LUKS device
  community.crypto.luks_device:
    device: "/dev/{{ baseline_second_disk_vg_name }}/home"
    name: home_crypt
    state: opened
    passphrase: "{{ baseline_home_luks_passphrase }}"

- name: Disk Partitions | PATCH | Add /home logical volume to crypttab
  community.general.crypttab:
    backing_device: /dev/mapper/datavg-home
    name: home_crypt
    opts: discard
    state: present

- name: Disk Partitions | PATCH | Create xfs filesystems on new partitions
  community.general.filesystem:
    dev: "{{ item }}"
    fstype: xfs
  with_items:
    - /dev/mapper/datavg-var
    - /dev/mapper/datavg-var_log
    - /dev/mapper/datavg-var_log_audit
    - /dev/mapper/datavg-var_tmp
    - /dev/mapper/home_crypt

- name: Disk Partitions | AUDIT | Check if /home is mounted
  ansible.builtin.command:
    cmd: mountpoint -q /home
  register: baseline_second_disk_home_mounted
  changed_when: false
  failed_when: false

- name: Disk Partitions | AUDIT | Check if /home is empty
  ansible.builtin.command:
    cmd: ls -A /home
  register: baseline_second_disk_home_files
  when: baseline_second_disk_home_mounted.rc != 0
  changed_when: false

- name: Disk Partitions | AUDIT | Fail if /home is not mounted and not empty
  ansible.builtin.assert:
    that:
      - ((baseline_second_disk_home_files.skipped is defined) and baseline_second_disk_home_files.skipped) or (baseline_second_disk_home_files.stdout == "")

- name: Disk Partitions | PATCH | Ensure /home is mounted
  ansible.posix.mount:
    src: "/dev/mapper/home_crypt"
    path: '/home'
    fstype: 'xfs'
    opts: 'rw,nosuid,nodev'
    state: mounted

- name: Disk Partitions | AUDIT | Check if /var is mounted
  ansible.builtin.command:
    cmd: mountpoint -q /var
  register: baseline_second_disk_var_mounted
  changed_when: false
  failed_when: false

- name: Disk Partitions | PATCH | Migrate content if /var is not mounted
  when: baseline_second_disk_var_mounted.rc != 0
  block:
    - name: Disk Partitions | PATCH | Enter emergency mode
      ansible.builtin.command:
        cmd: systemctl isolate emergency.target

    - name: Disk Partitions | PATCH | Unmount /var/lib/nfs/rpc_pipefs if mounted
      ansible.posix.mount:
        path: /var/lib/nfs/rpc_pipefs
        state: unmounted

    - name: Disk Partitions | PATCH | Migrate data to new partitions
      ansible.builtin.include_tasks:
        file: disk_partitions_migrate.yml
      vars:
        baseline_second_disk_migrate_path: "{{ item }}"
      with_items:
        - "/var"
        - "/var/log"
        - "/var/log/audit"
        - "/var/tmp"

    - name: Disk Partitions | PATCH | Restore default mode
      ansible.builtin.command:
        cmd: systemctl isolate default.target