---
- name: Decrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault decrypt "./playbooks/{{ proxmox_vault_file }}"
  ignore_errors: true
  no_log: true

- name: Load existing vault content
  ansible.builtin.slurp:
    src: "{{ proxmox_vault_file }}"
  register: vault_content
  no_log: true

- name: Parse vault content as YAML
  ansible.builtin.set_fact:
    vault_data: "{{ (vault_content['content'] | b64decode | from_yaml) if (vault_content['content'] | length > 0) else {} }}"
  no_log: true

- name: Setup secret name
  ansible.builtin.set_fact:
    vm_name_secret: "{{ proxmox_secrets_prefix }}_{{ vm_name | replace('-', '_') }}"

- name: Check if variable is in vault
  ansible.builtin.set_fact:
    variable_exists: "{{ vm_name_secret in vault_data }}"

- name: Set new secret
  ansible.builtin.set_fact:
    cipassword: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
  when: not variable_exists

- name: Set new secret
  ansible.builtin.set_fact:
    new_vault_data: "{{ vault_data | combine({vm_name_secret: cipassword}) }}"
  when: not variable_exists

- name: Write updated Vault content to file (temporary plaintext)
  ansible.builtin.copy:
    content: "{{ new_vault_data | to_nice_yaml }}"
    dest: "{{ proxmox_vault_file }}"
    mode: "0600"
  when: not variable_exists
  no_log: true

- name: Encrypt vm vault file
  ansible.builtin.shell: cd ../; ansible-vault encrypt "./playbooks/{{ proxmox_vault_file }}"
  ignore_errors: true
  no_log: true