---
- name: Install apt-transport-https
  apt:
    update_cache: yes
    name: apt-transport-https
    state: present
  when: not ansible_check_mode

- name: Install gnupg
  apt:
    update_cache: yes
    name: gnupg
    state: present
  when: not ansible_check_mode

- name: "Check if {{ datadog_apt_usr_share_keyring }} exists with correct mode"
  stat:
    path: "{{ datadog_apt_usr_share_keyring }}"
  register: apt_keyring_file

- name: "Ensure {{ datadog_apt_usr_share_keyring }} exists"
  file:
    path: "{{ datadog_apt_usr_share_keyring }}"
    owner: root
    group: root
    mode: "0644"
    state: touch
  when: not ansible_check_mode and (not apt_keyring_file.stat.exists or not apt_keyring_file.stat.mode == "0644")

- name: Install apt keys from default URLs
  include_tasks: _apt-key-import.yml
  with_items:
    "{{ datadog_apt_default_keys }}"
  when: datadog_apt_key_url_new is not defined and not ansible_check_mode

- name: Install apt keys from custom URL
  include_tasks: _apt-key-import.yml
  with_items:
    - key: A2923DFF56EDA6E76E55E492D3A80E30382E94DE
      value: "{{ datadog_apt_key_url_new }}"
    - key: D75CEA17048B9ACBF186794B32637D44F14F620E
      value: "{{ datadog_apt_key_url_new }}"
  when: datadog_apt_key_url_new is defined and not ansible_check_mode

- name: "Ensure {{ datadog_apt_trusted_d_keyring }} exists with same contents as {{ datadog_apt_usr_share_keyring }} for older distro versions"
  copy:
    src: "{{ datadog_apt_usr_share_keyring }}"
    dest: "{{ datadog_apt_trusted_d_keyring }}"
    mode: "0644"
    remote_src: yes
  when: ((ansible_distribution == 'Debian' and ansible_distribution_major_version|int < 9) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version|int < 16)) and not ansible_check_mode

- name: Ensure Datadog non-https repositories and repositories not using signed-by option are deprecated
  apt_repository:
    repo: "{{ item }}"
    state: "absent"
    update_cache: yes
  with_items:
    - "deb http://apt.datadoghq.com/ stable main"
    - "deb http://apt.datadoghq.com/ stable 6"
    - "deb http://apt.datadoghq.com/ stable 7"
    - "deb https://apt.datadoghq.com/ stable main"
    - "deb https://apt.datadoghq.com/ stable 6"
    - "deb https://apt.datadoghq.com/ stable 7"
  when: not ansible_check_mode

- name: Ensure Datadog repository is up-to-date
  apt_repository:
    filename: "ansible_datadog_{{ item.key }}"
    repo: "{{ item.value }}"
    state: "{% if item.key == datadog_agent_major_version|int and datadog_apt_repo | length == 0 %}present{% else %}absent{% endif %}"
    update_cache: yes
  when: (not ansible_check_mode)
  with_dict:
    5: '{{ datadog_agent5_apt_repo }}'
    6: '{{ datadog_agent6_apt_repo }}'
    7: '{{ datadog_agent7_apt_repo }}'

- name: Initialize custom repo file deletion flag to False
  set_fact:
    datadog_remove_custom_repo_file: "False"

- name: Check if custom repository file exists
  stat:
    path: /etc/apt/sources.list.d/ansible_datadog_custom.list
  register: datadog_custom_repo_file

- name: Fetch custom repository file
  slurp:
    src: /etc/apt/sources.list.d/ansible_datadog_custom.list
  register: datadog_custom_repo_file_contents
  when: datadog_custom_repo_file.stat.exists

- name: Flag custom repository file for deletion if different from current repository config
  set_fact:
    datadog_remove_custom_repo_file: "{{ datadog_repo_file_contents != datadog_apt_repo }}"
  vars:
    datadog_repo_file_contents: "{{ datadog_custom_repo_file_contents['content'] | b64decode | trim }}"
  when: datadog_custom_repo_file.stat.exists

- name: (Custom) Remove Datadog custom repository file when not set or updated
  file:
    path: /etc/apt/sources.list.d/ansible_datadog_custom.list
    state: absent
  when: (datadog_apt_repo | length == 0) or datadog_remove_custom_repo_file and (not ansible_check_mode)

- name: (Custom) Ensure Datadog repository is up-to-date
  apt_repository:
    filename: ansible_datadog_custom
    repo: "{{ datadog_apt_repo }}"
    state: present
    update_cache: yes
  when: (datadog_apt_repo | length > 0) and (not ansible_check_mode)

- include_tasks: pkg-debian/install-pinned.yml
  when: datadog_agent_debian_version is defined

- include_tasks: pkg-debian/install-latest.yml
  when: datadog_agent_debian_version is not defined

- name: Install latest datadog-signing-keys package
  apt:
    name: datadog-signing-keys
    state: latest  # noqa 403
    # we don't use update_cache: yes, as that was just done by the install-pinned/install-latest
  register: datadog_signing_keys_install
  when: not ansible_check_mode