---
# roles/pfsense_upgrade/tasks/update_check.yml
# Dynamic upgrade detection using pfSense repository system

# ---------------------------------------------------------------------------
# 1. Detect available repositories and identify upgrade target
# ---------------------------------------------------------------------------
- name: List available pfSense repositories
  ansible.builtin.raw: |
    php -r 'require_once("/etc/inc/pkg-utils.inc"); $repos = pkg_list_repos(); $upgrade = ""; foreach($repos as $r) { if (!isset($r["default"])) { echo $r["name"] . "|" . $r["descr"]; break; } } echo $upgrade ?: "UP_TO_DATE";'
  register: _repo_check
  changed_when: false

- name: Parse repository check result
  ansible.builtin.set_fact:
    _repo_result: "{{ _repo_check.stdout | trim }}"
    _upgrade_available: "{{ _repo_check.stdout | trim != 'UP_TO_DATE' }}"

- name: Set upgrade target repository
  ansible.builtin.set_fact:
    upgrade_target_repo: "{{ _repo_result.split('|')[0] }}"
    upgrade_target_description: "{{ _repo_result.split('|')[1] | default('Unknown') }}"
  when: _upgrade_available

# ---------------------------------------------------------------------------
# 2. Get current version information
# ---------------------------------------------------------------------------
- name: Get current pfSense version
  ansible.builtin.raw: |
    php -r 'require_once("/etc/inc/pkg-utils.inc"); $v = get_system_pkg_version(false); echo $v["installed_version"] ?? "Unknown";'
  register: _current_version
  changed_when: false

- name: Set current version fact
  ansible.builtin.set_fact:
    pfsense_current_version: "{{ _current_version.stdout | trim }}"
    upgrade_available: "{{ _upgrade_available }}"

# ---------------------------------------------------------------------------
# 3. Get current repository name
# ---------------------------------------------------------------------------
- name: Get current default repository
  ansible.builtin.raw: |
    php -r 'require_once("/etc/inc/pkg-utils.inc"); foreach(pkg_list_repos() as $r) { if (isset($r["default"])) { echo $r["name"]; } }'
  register: _current_repo
  changed_when: false

- name: Set current repo fact
  ansible.builtin.set_fact:
    current_repo: "{{ _current_repo.stdout | trim }}"

# ---------------------------------------------------------------------------
# 4. Display upgrade status report
# ---------------------------------------------------------------------------
- name: Display upgrade status report
  ansible.builtin.debug:
    msg:
      - "============================================================"
      - " Update Status: {{ inventory_hostname }}"
      - "============================================================"
      - " Current version  : {{ pfsense_current_version }}"
      - " Current repo     : {{ current_repo }}"
      - "------------------------------------------------------------"
      - " Upgrade available: {{ 'YES — ' ~ upgrade_target_repo ~ ' (' ~ upgrade_target_description ~ ')' if upgrade_available else 'NO — System is up to date' }}"
      - "------------------------------------------------------------"
      - " perform_upgrade  : {{ perform_upgrade | bool }}"
      - "============================================================"

- name: Warn if perform_upgrade is false but upgrade is available
  ansible.builtin.debug:
    msg: >
      DRY RUN — Upgrade to {{ upgrade_target_repo }} is available but perform_upgrade=false.
      Re-run with -e "perform_upgrade=true" to apply.
  when:
    - upgrade_available | bool
    - not (perform_upgrade | bool)
    
# ---------------------------------------------------------------------------
# 5. Compare branches — detect if a newer stable branch exists upstream
# ---------------------------------------------------------------------------
- name: Determine if a newer major release branch is available
  ansible.builtin.set_fact:
    new_major_release_available: >-
      {{
        upstream_fetch_ok | bool and
        (upstream_major_minor | string) != (pfsense_major_minor | string) and
        (upstream_major_minor.split('.')[0] | int > pfsense_major_minor.split('.')[0] | int) or
        (upstream_major_minor.split('.')[0] | int == pfsense_major_minor.split('.')[0] | int and
         upstream_major_minor.split('.')[1] | int > pfsense_major_minor.split('.')[1] | int)
      }}
  when: upstream_fetch_ok | bool

- name: Default new_major_release_available when fetch failed
  ansible.builtin.set_fact:
    new_major_release_available: false
  when: not (upstream_fetch_ok | bool)

# ---------------------------------------------------------------------------
# 6. Print the full update status report
# ---------------------------------------------------------------------------
- name: Display update status report
  ansible.builtin.debug:
    msg:
      - "============================================================"
      - " Update Status: {{ inventory_hostname }}"
      - "============================================================"
      - " Current version  : {{ pfsense_current_version }}"
      - " Current branch   : {{ pfsense_major_minor }}"
      - "------------------------------------------------------------"
      - " In-branch update : {{ 'YES — ' ~ upgrade_available_version if upgrade_available | bool else 'No — already up to date' }}"
      - " Outdated pkgs    : {{ pkg_outdated_count }} package(s) behind"
      - "------------------------------------------------------------"
      - " Upstream latest  : {{ upstream_version if upstream_fetch_ok | bool else 'Could not reach upstream' }}"
      - " Upstream branch  : {{ upstream_major_minor if upstream_fetch_ok | bool else 'N/A' }}"
      - " New branch avail : {{ 'YES — ' ~ upstream_version if new_major_release_available | bool else 'No' }}"
      - "------------------------------------------------------------"
      - " perform_upgrade  : {{ perform_upgrade | bool }}"
      - " allow_major_upg  : {{ allow_major_upgrade | bool }}"
      - "============================================================"

- name: Warn if a new major release branch is available but not allowed
  ansible.builtin.debug:
    msg: >
      WARNING: pfSense {{ upstream_version }} is available on branch {{ upstream_major_minor }},
      which is newer than your running branch {{ pfsense_major_minor }}.
      To upgrade across branches, re-run with: -e "perform_upgrade=true allow_major_upgrade=true"
  when:
    - new_major_release_available | bool
    - not (allow_major_upgrade | bool)

- name: Warn if perform_upgrade is false but upgrades are available
  ansible.builtin.debug:
    msg: >
      DRY RUN — upgrades are available but perform_upgrade=false.
      Re-run with -e "perform_upgrade=true" to apply.
  when:
    - (upgrade_available | bool) or (pkg_outdated_count | int > 0)
    - not (perform_upgrade | bool)