---
# SPDX-License-Identifier: AGPL-3.0-or-later
#
# node_exporter (host metrics) + Grafana Alloy (scrape locally,
# remote_write to Grafana Cloud Mimir). Replaces the previous
# Promtail+node_exporter setup that scraped from a metal box.
#
# Operator side (one-time, see runbooks/observability.md):
#   1. Sign up for Grafana Cloud free tier at https://grafana.com/
#   2. Create an Access Policy with `metrics:write` scope; mint a
#      token under that policy.
#   3. From the Cloud portal, find the Prometheus instance details:
#        - URL (e.g. https://prometheus-prod-NN-prod-us-central-0.grafana.net/api/prom/push)
#        - Username (numeric tenant id, e.g. "1234567")
#   4. Set in inventory/production:
#        grafana_cloud_prom_url: <URL above>
#        grafana_cloud_prom_user: <numeric tenant id>
#        grafana_cloud_prom_token: <token from step 2>
#   5. ansible-playbook ... -t monitoring  (or just re-run site.yml)

- name: node_exporter — install
  apt:
    name: prometheus-node-exporter
    state: present

- name: node_exporter — service started
  systemd:
    name: prometheus-node-exporter
    state: started
    enabled: yes

# Grafana Alloy (the rebrand of Grafana Agent) ships from Grafana's
# apt repo. Add the repo + key idempotently.
- name: Grafana repo — keyring dir
  file:
    path: /etc/apt/keyrings
    state: directory
    mode: "0755"

- name: Grafana repo — apt key
  get_url:
    url: https://apt.grafana.com/gpg.key
    dest: /etc/apt/keyrings/grafana.gpg.key
    mode: "0644"

- name: Grafana repo — sources list
  copy:
    dest: /etc/apt/sources.list.d/grafana.list
    content: |
      deb [signed-by=/etc/apt/keyrings/grafana.gpg.key] https://apt.grafana.com stable main
    mode: "0644"
  register: grafana_repo

- name: apt update if grafana repo just added
  apt:
    update_cache: yes
  when: grafana_repo.changed

- name: Grafana Alloy — install
  apt:
    name: alloy
    state: present

# Credentials live in a dedicated env file so the alloy systemd unit
# can pull them via EnvironmentFile=. Not in /etc/shithub because
# alloy is its own user; we don't want to widen group access there.
- name: Alloy creds dir
  file:
    path: /etc/alloy
    state: directory
    owner: root
    group: alloy
    mode: "0750"

- name: Alloy credentials env file
  template:
    src: alloy.env.j2
    dest: /etc/alloy/credentials.env
    owner: root
    group: alloy
    mode: "0640"
  notify: restart alloy

- name: Alloy config (River)
  template:
    src: alloy-config.river.j2
    dest: /etc/alloy/config.alloy
    owner: root
    group: alloy
    mode: "0644"
  notify: restart alloy

- name: Alloy systemd drop-in dir
  file:
    path: /etc/systemd/system/alloy.service.d
    state: directory
    mode: "0755"

# Override the upstream unit's EnvironmentFile so it picks up the
# credentials file above. Drop-in keeps the package-shipped unit
# intact across upgrades.
- name: Alloy systemd drop-in for credentials env
  copy:
    dest: /etc/systemd/system/alloy.service.d/shithub.conf
    content: |
      [Service]
      EnvironmentFile=/etc/alloy/credentials.env
    mode: "0644"
  notify: [daemon-reload, restart alloy]

- name: Alloy enabled + started
  systemd:
    name: alloy
    state: started
    enabled: yes