---
# Bare-metal Alloy on systemd. No docker on this LXC (Meridian + LiteLLM
# both run as systemd services). Apt-installed for clean self-updates.

- name: Install Alloy prereqs
  apt:
    name:
      - gpg
      - apt-transport-https
    state: present
    update_cache: false

- name: Add Grafana apt signing key
  get_url:
    url: https://apt.grafana.com/gpg.key
    dest: /etc/apt/keyrings/grafana.gpg.asc
    mode: '0644'

- name: Add Grafana apt repo
  copy:
    content: |
      deb [signed-by=/etc/apt/keyrings/grafana.gpg.asc] https://apt.grafana.com stable main
    dest: /etc/apt/sources.list.d/grafana.list
    mode: '0644'
  register: alloy_apt_repo

- name: Apt update (if repo just added)
  apt:
    update_cache: yes
  when: alloy_apt_repo.changed

- name: Install Alloy
  apt:
    name: alloy
    state: present
    update_cache: yes
    cache_valid_time: 3600

# The package's default alloy user needs to read /var/log/journal. systemd-journal
# group membership lets it read persistent journal without root.
- name: Add alloy user to systemd-journal group
  user:
    name: alloy
    groups: systemd-journal
    append: yes
  notify: restart alloy

- name: Deploy Alloy config
  template:
    src: config.alloy.j2
    dest: /etc/alloy/config.alloy
    owner: alloy
    group: alloy
    mode: '0644'
  notify: restart alloy

- name: Enable + start Alloy
  systemd:
    name: alloy
    enabled: yes
    state: started
    daemon_reload: yes