apiVersion: ops.aiwg.io/v1
kind: OpsPlaybook
metadata:
  name: provision-host
  labels:
    type: provisioning
spec:
  description: "Provision a new host or VM with DNS registration, base configuration, identity enrollment, monitoring, and verification."
  inventory: fleet-inventory
  targets:
    hosts:
      - "{hostname}"
  vars:
    role: "{role}"
    ip: "{ip-address}"
    domain: "{domain}"
    site: "{site-name}"
    admin_user: "{admin-username}"
    ssh_key_ref: "{ssh-key-reference}"
  steps:
    - id: dns-register
      name: "Register DNS records"
      capability: dns-register
      inputs:
        hostname: "{{ hostname }}"
        ip: "{{ ip }}"
        domain: "{{ domain }}"
        record_type: A
        reverse: true
      on_failure: abort

    - id: base-setup
      name: "Base OS configuration"
      capability: host-standup
      depends_on:
        - dns-register
      inputs:
        hostname: "{{ hostname }}"
        role: "{{ role }}"
        admin_user: "{{ admin_user }}"
        ssh_key_ref: "{{ ssh_key_ref }}"
        packages:
          - curl
          - jq
          - htop
          - unattended-upgrades
      on_failure: abort

    - id: identity-enroll
      name: "Enroll in identity provider"
      capability: identity-enroll
      depends_on:
        - base-setup
      inputs:
        hostname: "{{ hostname }}"
        realm: "{idp-realm}"
        role: "{{ role }}"
        groups:
          - "{default-group}"
      on_failure: abort

    - id: monitoring-register
      name: "Register with monitoring stack"
      capability: monitoring-register
      depends_on:
        - base-setup
      inputs:
        hostname: "{{ hostname }}"
        ip: "{{ ip }}"
        exporters:
          - node-exporter
          - "{role-specific-exporter}"
        dashboard_template: "{dashboard-template}"
        alert_group: "{alert-group}"
      on_failure: warn

    - id: backup-configure
      name: "Configure backup schedule"
      capability: backup-configure
      depends_on:
        - base-setup
      inputs:
        hostname: "{{ hostname }}"
        method: "{restic|borgbackup}"
        schedule: "{cron-expression}"
        retention: "{days}"
        paths:
          - /etc
          - "{data-paths}"
      on_failure: warn

    - id: asset-register
      name: "Register in CMDB"
      capability: host-inventory
      depends_on:
        - dns-register
        - base-setup
      inputs:
        hostname: "{{ hostname }}"
        ip: "{{ ip }}"
        role: "{{ role }}"
        site: "{{ site }}"
        owner: "{owner}"
        sla_tier: "{gold|silver|bronze}"
      on_failure: warn

    - id: verify
      name: "End-to-end verification"
      capability: host-verify
      depends_on:
        - dns-register
        - base-setup
        - identity-enroll
        - monitoring-register
        - asset-register
      inputs:
        hostname: "{{ hostname }}"
        checks:
          - dns_resolves
          - ssh_reachable
          - identity_enrolled
          - monitoring_reporting
          - cmdb_registered
      on_failure: abort