---
- name: Configure br-mgmt bridge for libvirt and Tinkerbell
  hosts: local
  become: true
  gather_facts: false

  vars:
    br_mgmt_name: br-mgmt
    br_mgmt_ip: 172.16.81.254
    br_mgmt_cidr: 24
    br_mgmt_netmask: 255.255.255.0

  tasks:
    - name: Ensure bridge-utils is installed
      ansible.builtin.apt:
        name: bridge-utils
        state: present
        update_cache: false

    - name: Create bridge interface configuration file
      ansible.builtin.copy:
        dest: /etc/network/interfaces.d/br-mgmt
        owner: root
        group: root
        mode: "0644"
        content: |
          # Management bridge for libvirt VMs and Tinkerbell
          # This bridge provides the 172.16.81.0/24 network for bare metal provisioning

          auto {{ br_mgmt_name }}
          iface {{ br_mgmt_name }} inet static
              address {{ br_mgmt_ip }}
              netmask {{ br_mgmt_netmask }}
              bridge_ports none
              bridge_stp off
              bridge_fd 0
              bridge_maxwait 0

    - name: Check if bridge already exists
      ansible.builtin.command: ip link show {{ br_mgmt_name }}
      register: bridge_exists
      changed_when: false
      failed_when: false

    - name: Create bridge interface
      ansible.builtin.command: ip link add name {{ br_mgmt_name }} type bridge
      when: bridge_exists.rc != 0

    - name: Set bridge interface up
      ansible.builtin.command: ip link set {{ br_mgmt_name }} up
      when: bridge_exists.rc != 0

    - name: Check current IP on bridge
      ansible.builtin.shell: ip addr show {{ br_mgmt_name }} | grep -q '{{ br_mgmt_ip }}'
      register: ip_configured
      changed_when: false
      failed_when: false

    - name: Assign IP address to bridge
      ansible.builtin.command: ip addr add {{ br_mgmt_ip }}/{{ br_mgmt_cidr }} dev {{ br_mgmt_name }}
      when: ip_configured.rc != 0

    - name: Enable IP forwarding
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        sysctl_set: true
        state: present
        reload: true

    - name: Install iptables-persistent
      ansible.builtin.apt:
        name: iptables-persistent
        state: present
        update_cache: false
      environment:
        DEBIAN_FRONTEND: noninteractive

    - name: Configure NAT masquerade for br-mgmt network
      ansible.builtin.iptables:
        table: nat
        chain: POSTROUTING
        source: 172.16.81.0/24
        out_interface: enp41s0
        jump: MASQUERADE
        comment: "NAT for br-mgmt network"

    - name: Allow forwarding from br-mgmt to external
      ansible.builtin.iptables:
        chain: FORWARD
        in_interface: "{{ br_mgmt_name }}"
        out_interface: enp41s0
        jump: ACCEPT
        comment: "Forward br-mgmt to internet"

    - name: Allow forwarding return traffic to br-mgmt
      ansible.builtin.iptables:
        chain: FORWARD
        in_interface: enp41s0
        out_interface: "{{ br_mgmt_name }}"
        ctstate: ESTABLISHED,RELATED
        jump: ACCEPT
        comment: "Return traffic to br-mgmt"

    - name: Save iptables rules
      ansible.builtin.shell: iptables-save > /etc/iptables/rules.v4

    - name: Display bridge status
      ansible.builtin.shell: |
        echo "=== Bridge Status ==="
        ip addr show {{ br_mgmt_name }}
        echo ""
        echo "=== Bridge Details ==="
        brctl show {{ br_mgmt_name }}
      register: bridge_status
      changed_when: false

    - name: Show bridge status
      ansible.builtin.debug:
        var: bridge_status.stdout_lines