---
- name: Monitor Grafana Access After Firewall Changes
  hosts: production
  gather_facts: no
  become: no

  tasks:
    - name: Instructions
      debug:
        msg:
          - "=== LIVE MONITORING NACH FIREWALL-?NDERUNGEN ==="
          - "Firewall-Regeln wurden erstellt ?"
          - "WireGuard ist verbunden ?"
          - ""
          - "Bitte mache JETZT einen neuen Zugriff auf https://grafana.michaelschiemer.de im Browser"
          - "Ich warte 20 Sekunden und pr?fe dann die Logs..."
          - ""

    - name: Get current log timestamp
      shell: |
        cd ~/deployment/stacks/traefik
        tail -1 logs/access.log | grep -oP '"time":"[^"]*"'
      args:
        executable: /bin/bash
      register: current_timestamp
      failed_when: false

    - name: Display current timestamp
      debug:
        msg: "Letztes Log: {{ current_timestamp.stdout }}"

    - name: Wait for access attempt
      pause:
        seconds: 20

    - name: Check for new Grafana access
      shell: |
        cd ~/deployment/stacks/traefik
        tail -200 logs/access.log | grep -i grafana | tail -20 | while IFS= read -r line; do
          time=$(echo "$line" | grep -oP '"time":"[^"]*"' | sed 's/"time":"//;s/"//' | cut -d'T' -f2 | cut -d'+' -f1 | cut -d':' -f1-2)
          client=$(echo "$line" | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//')
          status=$(echo "$line" | grep -oP '"DownstreamStatus":[0-9]+' | sed 's/"DownstreamStatus"://')
          if echo "$client" | grep -q '^10\.8\.0\.'; then
            echo "$time | ClientHost: $client | Status: $status ? VPN-IP (Traffic kommt ?ber VPN!)"
          elif [ "$client" = "89.246.96.244" ]; then
            echo "$time | ClientHost: $client | Status: $status ? Public IP (Traffic kommt NICHT ?ber VPN)"
          else
            echo "$time | ClientHost: $client | Status: $status ? Unknown IP"
          fi
        done
      args:
        executable: /bin/bash
      register: analysis
      ignore_errors: yes
      failed_when: false

    - name: Display analysis
      debug:
        msg: "{{ analysis.stdout_lines }}"

    - name: Get unique client IPs from last 10 requests
      shell: |
        cd ~/deployment/stacks/traefik
        tail -100 logs/access.log | grep -i grafana | tail -10 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | sort -u
      args:
        executable: /bin/bash
      register: unique_ips
      ignore_errors: yes
      failed_when: false

    - name: Display unique IPs
      debug:
        msg: "{{ unique_ips.stdout_lines }}"

    - name: Final verdict
      debug:
        msg:
          - ""
          - "=== ERGEBNIS ==="
          - "Pr?fe die obigen Zeilen:"
          - ""
          - "? Wenn ClientHost: 10.8.0.7 ? Traffic kommt ?ber VPN!"
          - "   ? Dann k?nnen wir die tempor?re IP-Erlaubnis entfernen!"
          - ""
          - "? Wenn ClientHost: 89.246.96.244 ? Traffic kommt NICHT ?ber VPN"
          - "   ? Dann m?ssen wir weitere Optionen probieren (Route explizit setzen, etc.)"