---
- name: Ping Portainer via tunnel SSH
  hosts: localhost
  connection: local
  gather_facts: false

  vars:
    ssh_user: semaphore
    ssh_host: bdc.cci17.fr
    ssh_port: 17100

    portainer_internal_ip: 10.30.0.151
    portainer_port: 9443

    local_port: "{{ 20000 + (9999 | random) }}"
    ssh_control_socket: "/tmp/ansible-ssh-tunnel-{{ local_port }}.sock"

  tasks:
    - block:

        - name: Ouvrir le tunnel SSH (fork en background)
          shell: >
            ssh
            -p {{ ssh_port }}
            -o ExitOnForwardFailure=yes
            -o StrictHostKeyChecking=no
            -o UserKnownHostsFile=/dev/null
            -o ServerAliveInterval=10
            -o ServerAliveCountMax=3
            -M -S {{ ssh_control_socket }}
            -f -N
            -L 127.0.0.1:{{ local_port }}:{{ portainer_internal_ip }}:{{ portainer_port }}
            {{ ssh_user }}@{{ ssh_host }}
          register: tunnel_open
          changed_when: true

        - name: Attendre que le port local du tunnel soit en écoute
          wait_for:
            host: 127.0.0.1
            port: "{{ local_port }}"
            delay: 1
            timeout: 20

        - name: Ping HTTPS Portainer via le tunnel
          uri:
            url: "https://127.0.0.1:{{ local_port }}/"
            method: GET
            validate_certs: false
            return_content: false
            status_code: [200, 301, 302, 403]
          register: portainer_response

        - name: OK
          debug:
            msg: "✅ Portainer joignable via tunnel (status {{ portainer_response.status }})"

      always:
        - name: Fermer le tunnel SSH (si ouvert)
          shell: >
            ssh -p {{ ssh_port }}
            -S {{ ssh_control_socket }}
            -O exit
            {{ ssh_user }}@{{ ssh_host }}
          ignore_errors: true