---
- hosts: all
  any_errors_fatal: true
  vars:
    logs_dir: "/tmp/logs"
  roles:
    - bindep
    - multi-node-firewall
  tasks:
    # We have had cases where the nodepool private IP address is not assigned,
    # which causes hard to diagnose errors later on. Catch it early.
    - name: Assert that the nodepool private IPv4 address is assigned
      assert:
        that: nodepool.private_ipv4 in ansible_all_ipv4_addresses
        fail_msg: >-
          The nodepool private IP address {{ nodepool.private_ipv4 }} is not assigned

    - name: Install dbus for debian system
      apt: name=dbus
      when:
        - ansible_os_family == 'Debian'
      become: true

    - name: Ensure /tmp/logs/ dir
      file:
        path: "{{ logs_dir }}"
        state: "directory"

    - name: Ensure node directories
      file:
        path: "{{ logs_dir }}/{{ item }}"
        state: "directory"
        mode: 0777
      with_items:
        - "docker_logs"
        - "kolla_configs"
        - "system_logs"
        - "kolla"
        - "ansible"

    - name: set new hostname based on ansible inventory file
      hostname:
        name: "{{ inventory_hostname }}"
      become: true

    # NOTE(yoctozepto): start VXLAN interface config

    - name: Set VXLAN interface facts
      set_fact:
        api_interface_address: "{{ api_network_prefix }}{{ groups['all'].index(inventory_hostname) + 1 }}"
        api_interface_tunnel_vni: 10001
        tunnel_local_address: "{{ nodepool.private_ipv4 }}"

    # NOTE(yoctozepto): CI VXLAN must use a different port than neutron-openvswitch-agent
    # which defaults to 4789 (the default is used in CI)
    # hence using port 4790
    - name: Create VXLAN interface
      become: true
      command: ip link add {{ api_interface_name }} type vxlan id {{ api_interface_tunnel_vni }} local {{ tunnel_local_address }} dstport 4790

    - name: Set VXLAN interface MTU
      become: true
      vars:
        # Find the parent interface
        parent_interface: >-
          {{ ansible_interfaces |
             map('extract', ansible_facts) |
             selectattr('ipv4.address', 'defined') |
             selectattr('ipv4.address', 'equalto', tunnel_local_address) |
             first }}
        # Allow 50 bytes overhead for VXLAN headers.
        mtu: "{{ parent_interface.mtu | int - 50 }}"
      command: ip link set {{ api_interface_name }} mtu {{ mtu }}

    # emulate BUM by multiplicating traffic to unicast targets
    - name: Add fdb entries for BUM traffic
      become: true
      vars:
        dest_ip: "{{ hostvars[item].tunnel_local_address }}"
      command: bridge fdb append 00:00:00:00:00:00 dev {{ api_interface_name }} dst {{ dest_ip }}
      with_inventory_hostnames: all
      when: item != inventory_hostname

    - name: Add IPv4 address for VXLAN network
      become: true
      vars:
        api_network_cidr: "{{ api_interface_address }}/{{ api_network_prefix_length }}"
        # NOTE(yoctozepto): we have to compute and explicitly set the broadcast address,
        # otherwise bifrost fails its pre-bootstrap sanity checks due to missing
        # broadcast address as ansible picks up scope ('global') as the interface's
        # broadcast address which fails checks logic
        api_network_broadcast_address: "{{ api_network_cidr | ipaddr('broadcast') }}"
      command: ip address add {{ api_network_cidr }} broadcast {{ api_network_broadcast_address }} dev {{ api_interface_name }}
      when: address_family == 'ipv4'

    # NOTE(yoctozepto): IPv6 has no broadcast address, let's not create confusion by setting it
    - name: Add IPv6 address for VXLAN network
      become: true
      command: ip address add {{ api_interface_address }}/{{ api_network_prefix_length }} dev {{ api_interface_name }}
      when: address_family == 'ipv6'

    - name: Accept traffic on the VXLAN network (IN)
      become: true
      iptables:
        state: present
        action: insert
        chain: INPUT
        ip_version: "{{ address_family }}"
        in_interface: "{{ api_interface_name }}"
        jump: ACCEPT

    # NOTE(yoctozepto): the default policy is ACCEPT but it is nicer to get statistics
    - name: Accept traffic on the VXLAN network (OUT)
      become: true
      iptables:
        state: present
        action: insert
        chain: OUTPUT
        ip_version: "{{ address_family }}"
        out_interface: "{{ api_interface_name }}"
        jump: ACCEPT

    - name: Bring VXLAN interface up
      become: true
      command: ip link set {{ api_interface_name }} up

    # NOTE(yoctozepto): IPv6 DAD may delay proper address assignment
    # this task will wait until DAD is done and addresses are no longer tentative
    # we assign addresses uniquely so DAD can only move it to preferred
    # hence we only check whether it's no longer tentative
    - name: Ensure IPv6 addresses on VXLAN are no longer tentative
      become: true
      command: ip -o address show tentative dev {{ api_interface_name }}
      register: tentative_addresses
      until: tentative_addresses.stdout == ''
      retries: 30
      delay: 2
      when:
        - address_family == 'ipv6'

    - name: Ping across VXLAN
      vars:
        ping_command: "{{ 'ping' if address_family == 'ipv4' else 'ping6' }}"
      command: "{{ ping_command }} -c1 {{ hostvars[item].api_interface_address }}"
      with_inventory_hostnames: all

    # NOTE(yoctozepto): CentOS 7 image uses myhostname plugin for NSS
    # which creates issues with IPv6-only deployment by providing
    # an IPv4 address for the current hostname (affects rabbitmq)
    - name: Disable myhostname NSS plugin
      become: true
      replace:
        path: /etc/nsswitch.conf
        regexp: ' myhostname'
        replace: ''