---
# Validation Playbook - Test Configuration Before Deployment

- name: Validate Configuration
  hosts: vpn_servers
  gather_facts: no
  
  tasks:
    - name: Test connectivity
      ansible.builtin.ping:
    
    - name: Validate management_allowed_sources is defined
      ansible.builtin.assert:
        that:
          - management_allowed_sources is defined
          - management_allowed_sources | length > 0
        fail_msg: "ERROR: management_allowed_sources must be defined in group_vars!"
        success_msg: "✓ management_allowed_sources is configured"
    
    - name: Validate VPN network is unique per host
      ansible.builtin.debug:
        msg: "{{ inventory_hostname }}: VPN network {{ wg_network }}, Server IP {{ wg_server_ip }}"
    
    - name: Validate ValleyForge IP is set
      ansible.builtin.assert:
        that:
          - valleyforge_public_ip is defined
          - valleyforge_public_ip != "185.112.147.205"  # Default placeholder
        fail_msg: "ERROR: Please set valleyforge_public_ip to your actual ValleyForge IP!"
        success_msg: "✓ ValleyForge IP is configured: {{ valleyforge_public_ip }}"
      when: "'185.112.147.205' in management_allowed_sources"
    
    - name: Display configuration summary
      ansible.builtin.debug:
        msg:
          - "Host: {{ inventory_hostname }}"
          - "VPN Network: {{ wg_network }}"
          - "Management allowed from: {{ management_allowed_sources | join(', ') }}"
          - "Users configured: {{ wg_peers | length }}"