---
- name: "load docker and db for {{ application_id }}"
  include_role:
    name: sys-stk-back-stateless
  vars:
    docker_compose_flush_handlers: true

- name: "Include role sys-stk-front-proxy for each UI domain"
  include_role:
    name: sys-stk-front-proxy
  vars:
    domain:    "{{ item.domain }}"
    http_port: "{{ item.http_port }}"
  loop: "{{ MINIO_FRONT_PROXY_MATRIX }}"
  loop_control:
    label: "{{ item.domain }} -> {{ item.http_port }}"

- block:
    - name: "Check policy (RAW with slash) exists"
      no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
      shell: >
        docker run --rm
        -e MC_HOST_minio={{ MINIO_MC_HOST_ENV | quote }}
        {{ MINIO_MC_IMAGE }}
        admin policy info minio {{ MINIO_OIDC_POLICY_NAME | quote }}
      register: mc_policy_info_raw
      failed_when: false
      changed_when: false

    - name: "Create policy (RAW with slash) if missing"
      shell: |
        set -euo pipefail
        printf '%s' '{{ (MINIO_OIDC_POLICY_CONTENT | from_yaml | to_json) | b64encode }}' \
          | base64 -d \
          | docker run --rm -i \
              -e MC_HOST_minio={{ MINIO_MC_HOST_ENV | quote }} \
              {{ MINIO_MC_IMAGE }} \
              admin policy create minio {{ MINIO_OIDC_POLICY_NAME | quote }} /dev/stdin
      args: { executable: /bin/bash }
      no_log: "{{ MASK_CREDENTIALS_IN_LOGS | bool }}"
      async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
      poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
      when:
        - mc_policy_info_raw.rc != 0

  when: MINIO_OIDC_ENABLED | bool