- name: "Wait until '{{ KEYCLOAK_CONTAINER }}' container is healthy"
  community.docker.docker_container_info:
    name: "{{ KEYCLOAK_CONTAINER }}"
  register: kc_info
  retries: 60
  delay: 5
  until: >
    kc_info is succeeded and
    (kc_info.container | default({})) != {} and
    (kc_info.container.State | default({})) != {} and
    (kc_info.container.State.Health | default({})) != {} and
    (kc_info.container.State.Health.Status | default('')) == 'healthy'

- name: Ensure permanent Keycloak admin exists and can log in (container env only)
  block:

    - name: Try login with permanent admin (uses container ENV)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} config credentials \
            --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
            --realm master \
            --user "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
            --password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
        '
      register: kc_login_perm
      changed_when: false

  rescue:

    - name: Login with bootstrap admin (uses container ENV)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} config credentials \
            --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
            --realm master \
            --user "$KC_BOOTSTRAP_ADMIN_USERNAME" \
            --password "$KC_BOOTSTRAP_ADMIN_PASSWORD"
        '
      register: kc_login_bootstrap
      changed_when: false

    - name: Ensure permanent admin user exists (create if missing)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} create users -r master \
            -s "username=$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
            -s "enabled=true"
        '
      register: kc_create_perm_admin
      failed_when: >
        not (
          kc_create_perm_admin.rc == 0 or
          (kc_create_perm_admin.stderr is defined and
          ('User exists with same username' in kc_create_perm_admin.stderr))
        )
      changed_when: kc_create_perm_admin.rc == 0

    - name: Set permanent admin password (by username, no ID needed)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} set-password -r master \
            --username "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
            --new-password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
        '
      changed_when: true

    - name: Grant global admin via master realm role 'admin'
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} add-roles -r master \
            --uusername "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
            --rolename admin
        '
      register: kc_grant_master_admin
      changed_when: (kc_grant_master_admin.stderr is defined and kc_grant_master_admin.stderr | length > 0) or
                    (kc_grant_master_admin.stdout is defined and kc_grant_master_admin.stdout | length > 0)
      failed_when: false

    - name: Verify login with permanent admin (after creation)
      shell: |
        {{ KEYCLOAK_EXEC_CONTAINER }} sh -lc '
          {{ KEYCLOAK_KCADM }} config credentials \
            --server {{ KEYCLOAK_SERVER_INTERNAL_URL }} \
            --realm master \
            --user "$KEYCLOAK_PERMANENT_ADMIN_USERNAME" \
            --password "$KEYCLOAK_PERMANENT_ADMIN_PASSWORD"
        '
      changed_when: false