---
- name: "Stat credentials file"
  ansible.builtin.stat:
    path: "{{ sub_configuration_directories['secrets'] }}/{{ configuration_credentials_vars_file }}"
  register: _credentials_file
  delegate_to: localhost

- name: "Stat vault credentials file"
  ansible.builtin.stat:
    path: "{{ sub_configuration_directories['secrets'] }}/vault.yml"
  register: _vault_credentials_file
  delegate_to: localhost

- name: "Make sure credentials file exists"
  ansible.builtin.assert:
    that:
      - _credentials_file.stat.exists
    fail_msg: >-
      Credentials file {{ _credentials_file.stat.path }} was not found, cannot continue without it.
  delegate_to: localhost

- name: "Load credentials variables"
  ansible.builtin.include_vars:
    dir: "{{ sub_configuration_directories['secrets'] }}"
    files_matching: "{{ configuration_credentials_vars_file }}"
    depth: 1
    name: _credentials
  delegate_to: localhost

- name: "Load vault credentials if vault.yml exists"
  ansible.builtin.include_vars:
    dir: "{{ sub_configuration_directories['secrets'] }}"
    files_matching: "vault.yml"
    depth: 1
    name: _vault_credentials
  when: _vault_credentials_file.stat.exists
  delegate_to: localhost

- name: "Merge vault credentials into _credentials"
  vars:
    _config_to_merge:
      vault: "{{ _vault_credentials }}"
  ansible.builtin.set_fact:
    _credentials: "{{ _credentials | combine(_config_to_merge, recursive=true) }}"
  when: _vault_credentials_file.stat.exists
  delegate_to: localhost