---
- name: Debug Grafana 403 Error
  hosts: production
  gather_facts: yes
  become: no
  
  # This playbook requires the production inventory file
  # Run with: ansible-playbook -i ../inventory/production.yml debug-grafana-403.yml

  tasks:
    - name: Check Traefik logs for recent Grafana access attempts
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Recent Traefik Access Logs (last 50 lines with grafana) ==="
        docker compose logs --tail=100 traefik 2>&1 | grep -i grafana | tail -50 || echo "No grafana entries found"
      args:
        executable: /bin/bash
      register: traefik_logs
      ignore_errors: yes
      failed_when: false

    - name: Display Traefik logs
      debug:
        msg: "{{ traefik_logs.stdout_lines }}"

    - name: Check Traefik access log file
      shell: |
        cd ~/deployment/stacks/traefik
        echo "=== Recent Traefik Access Log (last 50 lines) ==="
        tail -50 logs/access.log 2>&1 | tail -50 || echo "Access log not found"
      args:
        executable: /bin/bash
      register: access_log
      ignore_errors: yes
      failed_when: false

    - name: Display access log
      debug:
        msg: "{{ access_log.stdout_lines }}"

    - name: Check Grafana container status
      shell: |
        cd ~/deployment/stacks/monitoring
        docker compose ps grafana
      args:
        executable: /bin/bash
      register: grafana_status
      ignore_errors: yes
      failed_when: false

    - name: Display Grafana status
      debug:
        msg: "{{ grafana_status.stdout_lines }}"

    - name: Check Grafana Traefik labels
      shell: |
        cd ~/deployment/stacks/monitoring
        docker compose config | grep -A 20 "grafana:" | grep -E "(ipwhitelist|middleware|sourcerange)" || echo "No IP whitelist labels found"
      args:
        executable: /bin/bash
      register: grafana_labels
      ignore_errors: yes
      failed_when: false

    - name: Display Grafana labels
      debug:
        msg: "{{ grafana_labels.stdout_lines }}"

    - name: Check CoreDNS configuration
      shell: |
        cd ~/deployment/stacks/dns
        echo "=== CoreDNS Corefile ==="
        cat Corefile 2>&1 || echo "Corefile not found"
      args:
        executable: /bin/bash
      register: coredns_config
      ignore_errors: yes
      failed_when: false

    - name: Display CoreDNS configuration
      debug:
        msg: "{{ coredns_config.stdout_lines }}"

    - name: Check monitoring stack environment variables
      shell: |
        cd ~/deployment/stacks/monitoring
        echo "=== MONITORING_VPN_IP_WHITELIST ==="
        grep MONITORING_VPN_IP_WHITELIST .env 2>&1 || echo "Variable not found in .env"
      args:
        executable: /bin/bash
      register: monitoring_env
      ignore_errors: yes
      failed_when: false

    - name: Display monitoring environment
      debug:
        msg: "{{ monitoring_env.stdout_lines }}"

    - name: Test DNS resolution for grafana.michaelschiemer.de
      shell: |
        echo "=== DNS Resolution Test ==="
        dig +short grafana.michaelschiemer.de @10.8.0.1 2>&1 || echo "DNS resolution failed"
      args:
        executable: /bin/bash
      register: dns_test
      ignore_errors: yes
      failed_when: false

    - name: Display DNS test result
      debug:
        msg: "{{ dns_test.stdout_lines }}"

    - name: Check WireGuard interface status
      shell: |
        echo "=== WireGuard Interface Status ==="
        sudo wg show 2>&1 || echo "WireGuard not running or no permissions"
      args:
        executable: /bin/bash
      register: wg_status
      ignore_errors: yes
      failed_when: false

    - name: Display WireGuard status
      debug:
        msg: "{{ wg_status.stdout_lines }}"