---
# 安全地修复客户端节点配置 - 先客户端，后服务器
- name: 修复客户端节点不安全配置
  hosts: nomad_clients
  become: yes
  serial: 1  # 一个一个来，确保安全
  tasks:
    - name: 显示当前处理的节点
      debug:
        msg: "正在处理客户端节点: {{ inventory_hostname }}"

    - name: 备份当前配置
      copy:
        src: /etc/nomad.d/nomad.hcl
        dest: /etc/nomad.d/nomad.hcl.backup.{{ ansible_date_time.epoch }}
        backup: yes
      
    - name: 创建安全的客户端配置
      template:
        src: client-secure-template.hcl.j2
        dest: /etc/nomad.d/nomad.hcl
        backup: yes
      notify: restart nomad

    - name: 验证配置文件语法
      command: nomad config validate /etc/nomad.d/nomad.hcl
      register: config_validation
      
    - name: 显示验证结果
      debug:
        msg: "{{ inventory_hostname }} 配置验证: {{ config_validation.stdout }}"

    - name: 等待服务重启完成
      wait_for:
        port: 4646
        host: "{% if inventory_hostname == 'influxdb' %}influxdb1.tailnet-68f9.ts.net{% else %}{{ inventory_hostname }}.tailnet-68f9.ts.net{% endif %}"
        delay: 10
        timeout: 60
      delegate_to: localhost

  handlers:
    - name: restart nomad
      systemd:
        name: nomad
        state: restarted
        daemon_reload: yes

  post_tasks:
    - name: 验证节点重新加入集群
      uri:
        url: "http://{% if inventory_hostname == 'influxdb' %}influxdb1.tailnet-68f9.ts.net{% else %}{{ inventory_hostname }}.tailnet-68f9.ts.net{% endif %}:4646/v1/agent/self"
        method: GET
      register: node_status
      delegate_to: localhost
      
    - name: 显示节点状态
      debug:
        msg: "{{ inventory_hostname }} 重新加入集群成功"
      when: node_status.status == 200