---
- name: OPNsense Advanced MSP Management
  hosts: firewalls
  gather_facts: false
  vars:
    # Managed via Semaphore Environment Variables or group_vars
    admin_accounts:
      - { name: "msp_admin", pwd: "{{ vault_msp_admin_password }}", groups: ["admins"], state: "present" }
      - { name: "decommissioned_user", state: "absent" } # Auto-purges old accounts

    critical_services: ["unbound", "dhcpd", "configd"]
    expected_interfaces:
      - { device: "wan", speed: "1000" }
      - { device: "lan", speed: "1000" }

  tasks:
    # --- TASK: BACKUP ---
    - name: Export configuration
      ansibleguy.opnsense.system_backup:
        destination: "./backups/{{ inventory_hostname }}.xml"
      tags: backup

    # --- TASK: UPDATES ---
    - name: Check firmware status
      ansibleguy.opnsense.firmware_info:
      register: fw_info
      tags: upgrade_check

    - name: Apply updates if reboot is required
      ansibleguy.opnsense.firmware:
        upgrade: true
        reboot: true
      when: fw_info.needs_reboot | default(false)
      tags: upgrade_apply

    # --- TASK: MONITORING ---
    - name: Audit critical services
      ansibleguy.opnsense.service:
        name: "{{ item }}"
        state: started
      loop: "{{ critical_services }}"
      tags: monitoring

    - name: Audit SSL certificates
      ansibleguy.opnsense.certificate_info:
      register: cert_info
      tags: monitoring

    - name: Alert on expiring certs
      debug:
        msg: "CERT WARNING: {{ item.descr }} expires in {{ item.enddate_days }} days"
      loop: "{{ cert_info.certificates }}"
      when: item.enddate_days | int < 30
      tags: monitoring

    # --- TASK: AUDIT ---
    - name: Verify interface link state
      ansibleguy.opnsense.interface_info:
      register: int_info
      tags: audit

    - name: Fail if interface is DOWN
      assert:
        that: "int_info.interfaces[item.device].status == 'up'"
        fail_msg: "ALERT: Interface {{ item.device }} is DOWN!"
      loop: "{{ expected_interfaces }}"
      tags: audit

    # --- TASK: USER/SETTINGS MANAGEMENT ---
    - name: Manage Admin Accounts
      ansibleguy.opnsense.user:
        name: "{{ item.name }}"
        password: "{{ item.pwd | default(omit) }}"
        groups: "{{ item.groups | default(omit) }}"
        state: "{{ item.state | default('present') }}"
      loop: "{{ admin_accounts }}"
      tags: users

    - name: Apply Granular Settings
      ansibleguy.opnsense.system_settings:
        settings: "{{ opnsense_custom_settings }}"
      tags: settings