infra/roles/app_deployer/files/deploy-app.yml

---
# Generic app deployment playbook
# Deploys any app without requiring per-app playbooks
# Required extra-vars: app_name, app_version
# Optional extra-vars: env (default: prod), app_port, app_env_vars
# Run on the web host (which acts as deployment server)

- hosts: localhost
  become: true
  vars:
    env: "{{ env | default('prod') }}"
    app_dir: "/opt/apps/{{ app_name }}"
    app_binary: "{{ app_dir }}/app"
    systemd_service: "{{ app_name }}"
  pre_tasks:
    - name: Load vault vars if present
      include_vars:
        file: "{{ playbook_dir }}/../secrets/vault.yml"
      when: (lookup('ansible.builtin.fileglob', playbook_dir ~ '/../secrets/vault.yml', wantlist=True) | length) > 0
      tags: [vault]

    - name: Validate required variables
      assert:
        that:
          - app_name | length > 0
          - app_version | length > 0
        fail_msg: "app_name and app_version are required. Use --extra-vars 'app_name=myapp app_version=abc123'"

    - name: Ensure app artifact exists on deployment server
      stat:
        path: "/opt/artifacts/{{ app_name }}-{{ app_version }}"
      register: app_artifact
      delegate_to: localhost
      become: false

    - name: Fail if app artifact is missing
      fail:
        msg: "App artifact not found: /opt/artifacts/{{ app_name }}-{{ app_version }}. Ensure the CI pipeline uploaded it."
      when: not app_artifact.stat.exists
      delegate_to: localhost
      become: false

  tasks:
    - name: Ensure deploy user exists
      user:
        name: "{{ app_name }}"
        system: true
        create_home: false
        shell: /bin/false
        state: present

    - name: Create app directory
      file:
        path: "{{ app_dir }}"
        state: directory
        owner: "{{ app_name }}"
        group: "{{ app_name }}"
        mode: '0755'

    - name: Copy app artifact to target host
      copy:
        src: "/opt/artifacts/{{ app_name }}-{{ app_version }}"
        dest: "{{ app_binary }}"
        owner: "{{ app_name }}"
        group: "{{ app_name }}"
        mode: '0755'
      notify: restart app

    - name: Write environment file if app_env_vars provided
      copy:
        dest: "{{ app_dir }}/.env"
        owner: "{{ app_name }}"
        group: "{{ app_name }}"
        mode: '0600'
        content: "{% for key, value in app_env_vars.items() %}{{ key }}={{ value }}\n{% endfor %}"
      when: app_env_vars is defined
      notify: restart app

    - name: Remove environment file if not provided
      file:
        path: "{{ app_dir }}/.env"
        state: absent
      when: app_env_vars is not defined

    - name: Write systemd service for app
      template:
        src: "app.service.j2"
        dest: "/etc/systemd/system/{{ systemd_service }}.service"
      notify: restart app

    - name: Enable and start app service
      systemd:
        name: "{{ systemd_service }}"
        enabled: true
        state: started
        daemon_reload: true

  handlers:
    - name: restart app
      systemd:
        name: "{{ systemd_service }}"
        state: restarted