---
- name: Test WireGuard Connection from Docker Container
  hosts: production
  become: yes
  gather_facts: yes

  vars:
    test_container_name: "wireguard-test-client"
    wireguard_config_path: "/tmp/wireguard-test"

  tasks:
    - name: Validate client name
      fail:
        msg: "client_name is required. Usage: ansible-playbook ... -e 'client_name=grafana-test'"
      when: client_name is not defined or client_name == ""

    - name: Check if WireGuard client config exists
      stat:
        path: "{{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
      register: client_config_exists
      delegate_to: localhost
      become: no

    - name: Fail if client config not found
      fail:
        msg: "Client config not found: {{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
      when: not client_config_exists.stat.exists

    - name: Read client config
      slurp:
        src: "{{ playbook_dir }}/../wireguard-clients/{{ client_name }}.conf"
      register: client_config_content
      delegate_to: localhost
      become: no

    - name: Extract client IP from config
      set_fact:
        client_vpn_ip: "{{ (client_config_content.content | b64decode | regex_findall('Address\\s*=\\s*([0-9.]+)') | first) | default('10.8.0.7') }}"
      failed_when: false

    - name: Display extracted client IP
      debug:
        msg: "Client VPN IP: {{ client_vpn_ip }}"

    - name: Stop and remove existing test container
      shell: |
        docker stop {{ test_container_name }} || true
        docker rm {{ test_container_name }} || true
      args:
        executable: /bin/bash
      ignore_errors: yes
      failed_when: false

    - name: Create temporary directory for WireGuard config
      file:
        path: "{{ wireguard_config_path }}"
        state: directory
        mode: '0700'

    - name: Copy client config to server
      copy:
        content: "{{ client_config_content.content | b64decode }}"
        dest: "{{ wireguard_config_path }}/{{ client_name }}.conf"
        mode: '0600'

    - name: Start WireGuard test container
      shell: |
        docker run -d \
          --name {{ test_container_name }} \
          --cap-add=NET_ADMIN \
          --cap-add=SYS_MODULE \
          --sysctl net.ipv4.conf.all.src_valid_mark=1 \
          -v {{ wireguard_config_path }}/{{ client_name }}.conf:/etc/wireguard/{{ client_name }}.conf:ro \
          --device /dev/net/tun \
          ghcr.io/linuxserver/wireguard:latest
      args:
        executable: /bin/bash
      register: container_result
      ignore_errors: yes

    - name: Wait for container to start
      pause:
        seconds: 5

    - name: Check container status
      shell: docker ps -a --filter "name={{ test_container_name }}" --format "{{ '{{' }}.Status{{ '}}' }}"
      register: container_status
      failed_when: false

    - name: Display container status
      debug:
        msg: "Container Status: {{ container_status.stdout }}"

    - name: Get container logs
      shell: docker logs {{ test_container_name }} --tail 50
      register: container_logs
      failed_when: false

    - name: Display container logs
      debug:
        msg: "{{ container_logs.stdout_lines }}"

    - name: Test ping to VPN server from container
      shell: |
        docker exec {{ test_container_name }} ping -c 4 10.8.0.1 || true
      register: ping_result
      failed_when: false

    - name: Display ping result
      debug:
        msg: "{{ ping_result.stdout_lines }}"

    - name: Test curl to Grafana from container
      shell: |
        docker exec {{ test_container_name }} curl -s -o /dev/null -w "%{http_code}" --max-time 10 https://grafana.michaelschiemer.de/ || echo "FAILED"
      register: curl_result
      failed_when: false

    - name: Display curl result
      debug:
        msg: "HTTP Status Code: {{ curl_result.stdout }}"

    - name: Get container IP
      shell: |
        docker exec {{ test_container_name }} ip addr show wg0 | grep "inet " | awk '{print $2}' | cut -d/ -f1 || echo "No WireGuard IP"
      register: container_wg_ip
      failed_when: false

    - name: Display container WireGuard IP
      debug:
        msg: "Container WireGuard IP: {{ container_wg_ip.stdout }}"

    - name: Test DNS resolution from container
      shell: |
        docker exec {{ test_container_name }} nslookup grafana.michaelschiemer.de || true
      register: dns_result
      failed_when: false

    - name: Display DNS result
      debug: "{{ dns_result.stdout_lines }}"

    - name: Check Traefik logs for container access
      shell: |
        cd ~/deployment/stacks/traefik
        tail -100 logs/access.log | grep -i grafana | tail -10 | grep -oP '"ClientHost":"[^"]*"' | sed 's/"ClientHost":"//;s/"//' | sort -u
      register: traefik_client_ips
      failed_when: false

    - name: Display Traefik client IPs
      debug:
        msg: "{{ traefik_client_ips.stdout_lines }}"

    - name: Cleanup instructions
      debug:
        msg: |
          ========================================
          TEST ABGESCHLOSSEN
          ========================================
          
          Container-Name: {{ test_container_name }}
          
          Um Container zu entfernen:
          docker stop {{ test_container_name }}
          docker rm {{ test_container_name }}
          
          Um Config zu entfernen:
          rm -rf {{ wireguard_config_path }}
          ========================================