---
- name: Synology DSM - déclencher une mise à jour via l'API DSM (Semaphore/legacy compatible)
  hosts: synology
  gather_facts: false

  vars:
    # --- Connexion DSM ---
    syno_scheme: "https"
    syno_port: 5001
    syno_verify_ssl: false   # true si certificat OK
    syno_user: "{{ vault_syno_user }}"
    syno_pass: "{{ vault_syno_pass }}"
    syno_session: "DSM"

    # --- Upgrade API ---
    upgrade_check_method: "check"   # parfois: "status" / "get"
    upgrade_start_method: "start"

    # --- Sécurité ---
    refuse_if_no_upgrade_api: true

    # --- Réseau ---
    uri_timeout: 60

  tasks:
    - name: Construire base_url
      ansible.builtin.set_fact:
        base_url: "{{ syno_scheme }}://{{ inventory_hostname }}:{{ syno_port }}"

    # 1) Découverte des APIs (paths & versions) via SYNO.API.Info
    # IMPORTANT: Semaphore peut utiliser ansible.legacy.uri => pas de url_parameters.
    - name: Discover SYNO.API.Auth & SYNO.Core.Upgrade via SYNO.API.Info
      ansible.builtin.uri:
        url: "{{ base_url }}/webapi/entry.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth,SYNO.Core.Upgrade"
        method: GET
        return_content: true
        validate_certs: "{{ syno_verify_ssl }}"
        status_code: 200
        timeout: "{{ uri_timeout }}"
      register: api_info
      failed_when: api_info.json.success is not defined or api_info.json.success != true

    - name: Extraire info Auth/Upgrade
      ansible.builtin.set_fact:
        auth_info: "{{ api_info.json.data['SYNO.API.Auth'] | default({}) }}"
        upgrade_info: "{{ api_info.json.data['SYNO.Core.Upgrade'] | default({}) }}"

    - name: Fail si SYNO.Core.Upgrade absent (optionnel)
      ansible.builtin.fail:
        msg: >-
          L'API SYNO.Core.Upgrade n'est pas exposée sur ce NAS via /webapi.
          Solution de repli: déclenchement via SSH (synoupgrade) ou mise à jour manuelle DSM.
      when:
        - refuse_if_no_upgrade_api | bool
        - (upgrade_info | length) == 0

    - name: Définir chemins et versions max
      ansible.builtin.set_fact:
        # Certains DSM exposent Auth via entry.cgi, d'autres via auth.cgi.
        # On respecte la discovery, mais on garde des valeurs par défaut sûres.
        auth_path: "{{ auth_info.path | default('auth.cgi') }}"
        upgrade_path: "{{ upgrade_info.path | default('entry.cgi') }}"
        upgrade_ver: "{{ upgrade_info.maxVersion | default(1) }}"

    # 2) Login -> SID
    # Fix: le maxVersion retourné peut casser le login (erreur 101).
    # On tente d'abord une version stable (6), puis fallback (2).
    - name: Login DSM API (SYNO.API.Auth) - try v6 then v2
      block:
        - name: Login v6
          ansible.builtin.uri:
            url: "{{ base_url }}/webapi/{{ auth_path }}?api=SYNO.API.Auth&version=6&method=login&account={{ syno_user | urlencode }}&passwd={{ syno_pass | urlencode }}&session={{ syno_session | urlencode }}&format=sid"
            method: GET
            validate_certs: "{{ syno_verify_ssl }}"
            return_content: true
            status_code: 200
            timeout: "{{ uri_timeout }}"
          register: login_v6
          failed_when: login_v6.json.success != true

        - name: Set login result from v6
          ansible.builtin.set_fact:
            login: "{{ login_v6 }}"

      rescue:
        - name: Login v2 (fallback)
          ansible.builtin.uri:
            url: "{{ base_url }}/webapi/{{ auth_path }}?api=SYNO.API.Auth&version=2&method=login&account={{ syno_user | urlencode }}&passwd={{ syno_pass | urlencode }}&session={{ syno_session | urlencode }}&format=sid"
            method: GET
            validate_certs: "{{ syno_verify_ssl }}"
            return_content: true
            status_code: 200
            timeout: "{{ uri_timeout }}"
          register: login_v2
          failed_when: login_v2.json.success != true

        - name: Set login result from v2
          ansible.builtin.set_fact:
            login: "{{ login_v2 }}"

    - name: Enregistrer SID
      ansible.builtin.set_fact:
        sid: "{{ login.json.data.sid }}"

    # 3) (Optionnel) Check update (best effort)
    - name: Check DSM update readiness (best effort)
      ansible.builtin.uri:
        url: "{{ base_url }}/webapi/{{ upgrade_path }}?api=SYNO.Core.Upgrade&version={{ upgrade_ver }}&method={{ upgrade_check_method }}&_sid={{ sid }}"
        method: GET
        validate_certs: "{{ syno_verify_ssl }}"
        return_content: true
        status_code: 200
        timeout: "{{ uri_timeout }}"
      register: upgrade_check
      failed_when: false

    - name: Debug check result (utile pour ajuster upgrade_check_method)
      ansible.builtin.debug:
        var: upgrade_check.json

    # 4) Start upgrade
    - name: Start DSM upgrade (SYNO.Core.Upgrade)
      ansible.builtin.uri:
        url: "{{ base_url }}/webapi/{{ upgrade_path }}?api=SYNO.Core.Upgrade&version={{ upgrade_ver }}&method={{ upgrade_start_method }}&_sid={{ sid }}"
        method: GET
        validate_certs: "{{ syno_verify_ssl }}"
        return_content: true
        status_code: 200
        timeout: "{{ uri_timeout }}"
      register: upgrade_start

    - name: Fail si start a échoué
      ansible.builtin.fail:
        msg: >-
          Echec du démarrage upgrade DSM via API.
          Réponse: {{ upgrade_start.json | to_nice_json }}
      when: upgrade_start.json.success != true

    - name: Afficher résultat start
      ansible.builtin.debug:
        var: upgrade_start.json

    # 5) Logout
    - name: Logout DSM API
      ansible.builtin.uri:
        url: "{{ base_url }}/webapi/{{ auth_path }}?api=SYNO.API.Auth&version=2&method=logout&session={{ syno_session | urlencode }}&_sid={{ sid }}"
        method: GET
        validate_certs: "{{ syno_verify_ssl }}"
        return_content: true
        status_code: 200
        timeout: "{{ uri_timeout }}"
      register: logout
      failed_when: false