---
- name: Create systemd unit for Grafana private access
  template:
    src: kubectl-port-forward.service.j2
    dest: /etc/systemd/system/k8s-portforward-grafana.service
    mode: "0644"
  vars:
    unit_description: Port-forward Grafana for Tailscale access
    unit_namespace: observability
    unit_target: svc/observability-kube-prometheus-stack-grafana
    unit_local_port: 13080
    unit_remote_port: 80

- name: Create systemd unit for Prometheus private access
  template:
    src: kubectl-port-forward.service.j2
    dest: /etc/systemd/system/k8s-portforward-prometheus.service
    mode: "0644"
  vars:
    unit_description: Port-forward Prometheus for Tailscale access
    unit_namespace: observability
    unit_target: svc/observability-kube-prometh-prometheus
    unit_local_port: 19090
    unit_remote_port: 9090

- name: Create systemd unit for Flux UI private access
  template:
    src: kubectl-port-forward.service.j2
    dest: /etc/systemd/system/k8s-portforward-flux-ui.service
    mode: "0644"
  vars:
    unit_description: Port-forward Flux UI for Tailscale access
    unit_namespace: flux-system
    unit_target: svc/flux-system-weave-gitops
    unit_local_port: 19001
    unit_remote_port: 9001

- name: Reload systemd
  systemd:
    daemon_reload: true

- name: Enable and start private access port-forward services
  systemd:
    name: "{{ item }}"
    enabled: true
    state: started
  loop:
    - k8s-portforward-grafana.service
    - k8s-portforward-prometheus.service
    - k8s-portforward-flux-ui.service

- name: Configure Tailscale Serve for private access endpoints
  shell: >-
    tailscale serve reset &&
    tailscale serve --bg --tcp={{ private_access_grafana_port }} tcp://127.0.0.1:13080 &&
    tailscale serve --bg --tcp={{ private_access_prometheus_port }} tcp://127.0.0.1:19090 &&
    tailscale serve --bg --tcp={{ private_access_flux_port }} tcp://127.0.0.1:19001
  changed_when: true