---
# roles/pfsense_upgrade/tasks/verify.yml
# Verifies the system is healthy after upgrade and reports the new version.

- name: Wait an additional grace period before verifying
  ansible.builtin.pause:
    seconds: 15

- name: Read post-upgrade version
  ansible.builtin.raw: cat {{ pfsense_version_file }}
  register: _new_version_raw
  changed_when: false
  retries: 3
  delay: 10

- name: Set post-upgrade version fact
  ansible.builtin.set_fact:
    pfsense_new_version: "{{ _new_version_raw.stdout | trim }}"

- name: Verify pfSense web GUI is responding (port 443)
  ansible.builtin.raw: >
    fetch -q -o /dev/null --no-verify-peer https://127.0.0.1/ 2>&1 || true
  register: _webgui_check
  changed_when: false
  failed_when: false

- name: Check that key pfSense services are running
  ansible.builtin.raw: >
    sockstat -l | grep -E ':(53|443|80)\b' | wc -l | tr -d ' '
  register: _services_check
  changed_when: false
  failed_when: false

- name: Run pfSense-upgrade --check post-upgrade (confirm up-to-date)
  ansible.builtin.raw: >
    sudo {{ pfsense_upgrade_bin }} -d -c 2>&1
  register: _post_upgrade_check
  changed_when: false
  failed_when: false

- name: Upgrade result summary
  ansible.builtin.debug:
    msg:
      - "============================================================"
      - " Upgrade Result: {{ inventory_hostname }}"
      - "============================================================"
      - " Previous version : {{ pfsense_current_version }}"
      - " New version      : {{ pfsense_new_version }}"
      - " Version changed  : {{ pfsense_current_version != pfsense_new_version }}"
      - " Listening ports  : {{ _services_check.stdout | trim }} found (DNS/HTTP/HTTPS)"
      - " Post-upg check   : {{ 'Up to date' if _post_upgrade_check.rc == 0 else 'May still have pending updates' }}"
      - "============================================================"

- name: Fail if version did not change after upgrade attempt
  ansible.builtin.fail:
    msg: >
      pfSense version on {{ inventory_hostname }} is still {{ pfsense_new_version }}
      after upgrade attempt (was {{ pfsense_current_version }}).
      The upgrade may not have applied correctly — check the host manually.
  when:
    - pfsense_current_version == pfsense_new_version
    - upgrade_available | bool