---
# Reconcile external Traefik Redis route keys for a single service.
#
# Purpose:
#   Codify emergency Redis route edits into repeatable automation so
#   route state can be restored without manual redis-cli commands.
#
# Usage:
#   cd /home/chester/homelab/ansible
#   ansible-playbook -i inventory/hosts.ini playbooks/preflight/reconcile_edge_route.yml \
#     -e "route_name=gitea" \
#     -e "route_fqdn=git.castaldifamily.com" \
#     -e "route_backend_url=http://10.0.0.211:8251"

- name: Reconcile edge route keys in Redis
  hosts: watchtower
  gather_facts: false
  vars_files:
    - ../../group_vars/all.yml

  vars:
    route_name: gitea
    route_fqdn: git.castaldifamily.com
    route_backend_url: "http://{{ edge_routing.swarm.bind_ip }}:8251"
    route_entrypoint: websecure
    route_cert_resolver: cloudflare
    redis_container_name: redis

  tasks:
    - name: Validate required route inputs
      ansible.builtin.assert:
        that:
          - route_name | trim | length > 0
          - route_fqdn | trim | length > 0
          - route_backend_url | trim | length > 0
          - edge_routing.edge_host.name | length > 0
        fail_msg: "Missing required route reconciliation inputs."

    - name: Build route key map
      ansible.builtin.set_fact:
        edge_route_pairs:
          - key: "traefik/http/routers/{{ route_name }}/rule"
            value: "Host(`{{ route_fqdn }}`)"
          - key: "traefik/http/routers/{{ route_name }}/service"
            value: "{{ route_name }}"
          - key: "traefik/http/routers/{{ route_name }}/entryPoints/0"
            value: "{{ route_entrypoint }}"
          - key: "traefik/http/routers/{{ route_name }}/tls/certResolver"
            value: "{{ route_cert_resolver }}"
          - key: "traefik/http/services/{{ route_name }}/loadBalancer/servers/0/url"
            value: "{{ route_backend_url }}"
          - key: "traefik/http/services/{{ route_name }}/loadBalancer/passHostHeader"
            value: "true"

    - name: Read existing route key values
      ansible.builtin.command: >-
        docker exec {{ redis_container_name }} redis-cli GET {{ item.key }}
      delegate_to: "{{ edge_routing.edge_host.name }}"
      become: true
      loop: "{{ edge_route_pairs }}"
      register: edge_route_existing_values
      changed_when: false
      failed_when: false

    - name: Write route keys when drift is detected
      ansible.builtin.command: >-
        docker exec {{ redis_container_name }} redis-cli SET {{ item.item.key }} {{ item.item.value | quote }}
      delegate_to: "{{ edge_routing.edge_host.name }}"
      become: true
      loop: "{{ edge_route_existing_values.results }}"
      when: (item.stdout | default('')) != item.item.value
      register: edge_route_set_results
      changed_when: true

    - name: Verify reconciled backend URL
      ansible.builtin.command: >-
        docker exec {{ redis_container_name }} redis-cli GET
        traefik/http/services/{{ route_name }}/loadBalancer/servers/0/url
      delegate_to: "{{ edge_routing.edge_host.name }}"
      become: true
      register: edge_route_backend_verify
      changed_when: false

    - name: Assert backend URL matches expected value
      ansible.builtin.assert:
        that:
          - edge_route_backend_verify.stdout | trim == route_backend_url
        fail_msg: >-
          Redis backend URL for {{ route_name }} is '{{ edge_route_backend_verify.stdout | trim }}'
          but expected '{{ route_backend_url }}'.
        success_msg: >-
          Edge route '{{ route_name }}' reconciled to {{ route_backend_url }}.