---
# pfSense Upgrade Playbook
# Upgrades pfSense systems within their current version branch.
# Detects available stable releases and reports or applies upgrades.
#
# Usage:
#   ansible-playbook upgrade.yml -i inventory/hosts.yml
#   ansible-playbook upgrade.yml -i inventory/hosts.yml --tags check   # dry-run only
#   ansible-playbook upgrade.yml -i inventory/hosts.yml -e "perform_upgrade=true"
#   ansible-playbook upgrade.yml -i inventory/hosts.yml -e "perform_upgrade=true allow_major_upgrade=true"

- name: pfSense Upgrade
  hosts: pfsense_nodes
  gather_facts: false
  become: false
  serial: 1                          # Upgrade one host at a time to preserve redundancy

  vars:
    perform_upgrade: false           # Safety gate — must be explicitly set to true
    allow_major_upgrade: false       # Set true to allow crossing major version branches
    reboot_timeout: 300              # Seconds to wait for host after reboot
    upgrade_check_timeout: 120       # Seconds before pfSense-upgrade check times out
    ansible_ssh_common_args: >-
      -o ControlMaster=no
      -o ControlPersist=no
      -o ControlPath=none
      -o StrictHostKeyChecking=no
      -o UserKnownHostsFile=/dev/null
      -o ConnectTimeout=15
      -o ServerAliveInterval=10
      -o ServerAliveCountMax=3
  roles:
    - pfsense_upgrade