---
# Not all variables have sensible defaults, let's ensure these are set.
- name: Ensure mandatory variables are defined
  assert:
    that:
      - managed_interface_name is defined
      - managed_network_prefix is defined
      - managed_network_prefix_length is defined
      - managed_network_address_family is defined

- name: Set managed interface facts
  set_fact:
    managed_interface_address: "{{ managed_network_prefix }}{{ groups['all'].index(inventory_hostname) + 1 }}"

- name: Add IPv4 address for managed network
  become: true
  vars:
    managed_network_cidr: "{{ managed_interface_address }}/{{ managed_network_prefix_length }}"
    # NOTE(yoctozepto): we have to compute and explicitly set the broadcast address,
    # otherwise bifrost fails its pre-bootstrap sanity checks due to missing
    # broadcast address as ansible picks up scope ('global') as the interface's
    # broadcast address which fails checks logic
    managed_network_broadcast_address: "{{ managed_network_cidr | ipaddr('broadcast') }}"
  command: ip address add {{ managed_network_cidr }} broadcast {{ managed_network_broadcast_address }} dev {{ managed_interface_name }}
  when: managed_network_address_family == 'ipv4'

# NOTE(yoctozepto): IPv6 has no broadcast address, let's not create confusion by setting it
- name: Add IPv6 address for managed network
  become: true
  command: ip address add {{ managed_interface_address }}/{{ managed_network_prefix_length }} dev {{ managed_interface_name }}
  when: managed_network_address_family == 'ipv6'

- name: Accept traffic on the managed network (IN)
  become: true
  iptables:
    state: present
    action: insert
    chain: INPUT
    ip_version: "{{ managed_network_address_family }}"
    in_interface: "{{ managed_interface_name }}"
    jump: ACCEPT

# NOTE(yoctozepto): the default policy is ACCEPT but it is nicer to get statistics
- name: Accept traffic on the managed network (OUT)
  become: true
  iptables:
    state: present
    action: insert
    chain: OUTPUT
    ip_version: "{{ managed_network_address_family }}"
    out_interface: "{{ managed_interface_name }}"
    jump: ACCEPT

# NOTE(yoctozepto): IPv6 DAD may delay proper address assignment
# this task will wait until DAD is done and addresses are no longer tentative
# we assign addresses uniquely so DAD can only move it to preferred
# hence we only check whether it's no longer tentative
- name: Ensure IPv6 addresses on the managed interface are no longer tentative
  become: true
  command: ip -o address show tentative dev {{ managed_interface_name }}
  register: tentative_addresses
  until: tentative_addresses.stdout == ''
  retries: 30
  delay: 2
  when:
    - managed_network_address_family == 'ipv6'

- name: Ping across the managed network
  become: true
  vars:
    ping_command: "{{ 'ping' if managed_network_address_family == 'ipv4' else 'ping6' }}"
  command: "{{ ping_command }} -c1 {{ hostvars[item].managed_interface_address }}"
  with_inventory_hostnames: all