---
- name: Live Monitor Grafana Access - Watch Traefik Logs in Real-Time
  hosts: production
  gather_facts: no
  become: no

  tasks:
    - name: Clear previous Grafana access attempts count
      shell: |
        echo "Starting live monitoring. Make a request to https://grafana.michaelschiemer.de now!"
        echo "Waiting 10 seconds for you to make a request..."
        sleep 10
      args:
        executable: /bin/bash

    - name: Show recent Grafana access attempts
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Last 5 Grafana Access Attempts ==="
        tail -100 logs/access.log | grep -i grafana | tail -5
      args:
        executable: /bin/bash
      register: recent_access
      ignore_errors: yes
      failed_when: false

    - name: Display recent access attempts
      debug:
        msg: "{{ recent_access.stdout_lines }}"

    - name: Check current client IP pattern
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Client IPs in recent Grafana requests ==="
        tail -50 logs/access.log | grep -i grafana | tail -10 | grep -oP '"ClientHost":"[^"]*"' | head -5
      args:
        executable: /bin/bash
      register: client_ips
      ignore_errors: yes
      failed_when: false

    - name: Display client IPs
      debug:
        msg: "{{ client_ips.stdout_lines }}"

    - name: Extract and check client IPs
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Checking if client IPs are in VPN range (10.8.0.0/24) ==="
        tail -20 logs/access.log | grep -i grafana | tail -3 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | while read ip; do
          if [[ "$ip" =~ ^10\.8\.0\.[0-9]+$ ]]; then
            echo "$ip -> In VPN range (10.8.0.0/24): YES"
          else
            echo "$ip -> In VPN range (10.8.0.0/24): NO (this is the problem!)"
          fi
        done
      args:
        executable: /bin/bash
      register: vpn_check
      ignore_errors: yes
      failed_when: false

    - name: Display VPN range check
      debug:
        msg: "{{ vpn_check.stdout_lines }}"

    - name: Show Traefik middleware errors
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Traefik Middleware Errors (if any) ==="
        tail -50 logs/traefik.log | grep -iE "(grafana|ipallowlist|403|middleware)" | tail -10 || echo "No middleware errors found"
      args:
        executable: /bin/bash
      register: middleware_errors
      ignore_errors: yes
      failed_when: false

    - name: Display middleware errors
      debug:
        msg: "{{ middleware_errors.stdout_lines }}"

    - name: Verify middleware configuration
      shell: |
        cd ~/deployment/stacks/traefik/dynamic
        echo "=== Current grafana-vpn-only Middleware ==="
        grep -A 6 "grafana-vpn-only:" middlewares.yml
      args:
        executable: /bin/bash
      register: middleware_config
      ignore_errors: yes
      failed_when: false

    - name: Display middleware configuration
      debug: |
        msg: "{{ middleware_config.stdout_lines }}"