- name: Configura container LXC
  hosts: lxc_containers
  vars:
    ssh_public_key: "{{ lookup('file', '~/.ssh/ansible.pub') }}"
  gather_facts: false
  become: yes

  tasks:
    - name: Wait until SSH is fully ready (Ansible login confirms availability)
      ansible.builtin.wait_for_connection:
        timeout: 600 # fino a 10 minuti (essere generosi per bootstrap lento)
        delay: 5 # aspetta 5s prima di cominciare i tentativi

    - name: Ensure apt cache is updated (idempotent)
      ansible.builtin.apt:
        update_cache: yes
      # non vogliamo che il primo apt rallenti la connessione dopo wait_for_connection,
      # ma questo garantisce che i task successivi usino pacchetti aggiornati.

    - name: Ensure SSH is installed
      ansible.builtin.apt:
        name: openssh-server
        state: present
        update_cache: yes

    - name: Ensure SSH is running
      ansible.builtin.systemd:
        name: ssh
        state: started
        enabled: yes

    - name: Configure SSH to allow root login
      ansible.builtin.lineinfile:
        path: /etc/ssh/sshd_config
        regexp: "^#?PermitRootLogin"
        line: "PermitRootLogin yes"
      notify: Restart SSH

    - name: Ensure .ssh directory exists
      ansible.builtin.file:
        path: /root/.ssh
        state: directory
        mode: "0700"
        owner: root
        group: root

    - name: Install authorized_keys for root
      ansible.builtin.copy:
        dest: /root/.ssh/authorized_keys
        content: "{{ ssh_public_key }}"
        mode: "0600"
        owner: root
        group: root

  #add restart handler
  handlers:
    - name: Restart SSH
      ansible.builtin.systemd:
        name: ssh
        state: restarted