---
# Post-provisioning customizations for OpenClaw VMs
# Run after playbooks/install.yml to apply host-specific tweaks
#
# Usage:
#   ansible-playbook -i inventory.yml playbooks/customize.yml
#   ansible-playbook -i inventory.yml playbooks/customize.yml --limit zap

- name: OpenClaw VM customizations
  hosts: openclaw_servers
  become: true

  tasks:

    - name: Set vm.swappiness=10 (live)
      ansible.posix.sysctl:
        name: vm.swappiness
        value: "10"
        state: present
        reload: true

    - name: Persist vm.swappiness in /etc/sysctl.conf
      ansible.builtin.lineinfile:
        path: /etc/sysctl.conf
        regexp: '^vm\.swappiness'
        line: 'vm.swappiness=10'
        state: present

    - name: Create virtiofs mount point
      ansible.builtin.file:
        path: /mnt/swarm
        state: directory
        mode: "0755"

    - name: Mount virtiofs swarm share via fstab
      ansible.posix.mount:
        path: /mnt/swarm
        src: swarm
        fstype: virtiofs
        opts: defaults
        state: present
        # Note: actual mount requires reboot after VM config update

    - name: Ensure openclaw user lingering is enabled (for user systemd services)
      ansible.builtin.command:
        cmd: loginctl enable-linger openclaw
      changed_when: false

    # ── Automatic security updates ─────────────────────────────────────────
    # The upstream role installs unattended-upgrades with security-only updates.
    # We extend it here to enable automatic reboots for kernel/libc updates,
    # scheduled at 03:30 (after the 03:00 config backup).

    - name: Ensure unattended-upgrades is installed
      ansible.builtin.apt:
        name:
          - unattended-upgrades
          - apt-listchanges
        state: present

    - name: Configure unattended-upgrades
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/50unattended-upgrades
        mode: "0644"
        content: |
          // OpenClaw VM — automatic security updates
          Unattended-Upgrade::Allowed-Origins {
              "${distro_id}:${distro_codename}-security";
              "${distro_id}ESMApps:${distro_codename}-apps-security";
              "${distro_id}ESM:${distro_codename}-infra-security";
          };
          Unattended-Upgrade::Package-Blacklist {};
          Unattended-Upgrade::AutoFixInterruptedDpkg "true";
          Unattended-Upgrade::MinimalSteps "true";
          Unattended-Upgrade::Remove-Unused-Dependencies "true";
          Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
          Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
          // Reboot at 03:30 if required (after the 03:00 config backup)
          Unattended-Upgrade::Automatic-Reboot "true";
          Unattended-Upgrade::Automatic-Reboot-Time "03:30";
      notify: Restart unattended-upgrades

    - name: Enable daily apt update and upgrade triggers
      ansible.builtin.copy:
        dest: /etc/apt/apt.conf.d/20auto-upgrades
        mode: "0644"
        content: |
          APT::Periodic::Update-Package-Lists "1";
          APT::Periodic::Unattended-Upgrade "1";
          APT::Periodic::AutocleanInterval "7";

    - name: Ensure unattended-upgrades service is running and enabled
      ansible.builtin.systemd:
        name: unattended-upgrades
        state: started
        enabled: true

  handlers:
    - name: Restart unattended-upgrades
      ansible.builtin.systemd:
        name: unattended-upgrades
        state: restarted