---
- name: Run DC patch task via JEA-PatchOps
  hosts: domain_controllers
  gather_facts: no

  vars:
    task_path: '\\'                    # root folder
    task_name: 'Patching-windows-task'
    poll_delay: 60
    finish_retries: 3               # up to 6h

  tasks:
    - name: Ensure the task is enabled
      ansible.windows.win_powershell:
        script: |
          Import-Module ScheduledTasks
          $tp='{{ task_path }}'; $tn='{{ task_name }}'
          $t = Get-ScheduledTask -TaskPath $tp -TaskName $tn
          if (-not $t.Settings.Enabled) { Enable-ScheduledTask -TaskPath $tp -TaskName $tn | Out-Null }

    - name: Start the SYSTEM patch task
      ansible.windows.win_command: >
        schtasks /Run /TN "{{ task_path }}{{ task_name }}"
      register: start_task
      failed_when: false
      changed_when: >
        (start_task.rc | default(1)) == 0
        or ('SUCCESS' in (start_task.stdout | default('')))

    - name: Poll until Ready/Disabled with success
      ansible.windows.win_powershell:
        script: |
          $ErrorActionPreference = 'Stop'
          Import-Module ScheduledTasks
          $tp='{{ task_path }}'; $tn='{{ task_name }}'
          $i = Get-ScheduledTaskInfo -TaskPath $tp -TaskName $tn
          [PSCustomObject]@{ State=$i.State; LastTaskResult=$i.LastTaskResult } | ConvertTo-Json -Compress
      register: task_info
      failed_when: false
      retries: "{{ finish_retries }}"
      delay: "{{ poll_delay }}"
      until: >
        (task_info.stdout | default('') | length > 0)
        and ((task_info.stdout | from_json).State in ['Ready','Disabled'])
        and (((task_info.stdout | from_json).LastTaskResult | int) == 0)

    - name: Reboot if needed
      ansible.windows.win_reboot:
        reboot_timeout: 5400
      when: (task_info.stdout | from_json).State == 'Ready'