---
- name: Pre-flight checks only.
  hosts: workstation.lab.example.com
  gather_subset: min
  become: no
  tasks:
    # Deploy packages.
    - include_role:
        name: install-packages
        apply:
          tags:
            - install
      tags:
        - install
    # Get auth info, check cluster comms.
    - include_role:
        name: check-env
        apply:
          tags:
            - check
      tags:
        - check
    # THIS MUST BE APPLIED BEFORE FIX OPERATORS!
    - include_role:
        name: remove-operators
        apply:
          tags:
            - prep
            - remove
      loop: "{{ removed_operators }}"
      loop_control:
        loop_var: role
      tags:
        - prep
        - remove
    # Fix the operator catalog sources.
    - include_role:
        name: fix-operators
        apply:
          tags:
            - prep
            - fix
      tags:
        - prep
        - fix
    # Re-apply any operators that have had their catalog sources changed and install new ones.
    - include_role:
        name: deploy-operators
        apply:
          tags:
            - prep
            - deploy
      loop: "{{ added_operators }}"
      loop_control:
        loop_var: role
      tags:
        - prep
        - deploy
    # Apply some labels to nodes.
    - include_role:
        name: apply-node-labels
        apply:
          tags:
            - prep
            - setup
            - labels
      tags:
        - prep
        - setup
        - labels
    # Ensure RBAC resources (ClusterRoles and global Groups) are there.
    - include_role:
        name: setup-rbac
        apply:
          tags:
            - prep
            - setup
            - rbac
      tags:
        - prep
        - setup
        - rbac
    # Ensure a Keycloak is there (use rhbk_state=absent var to remove).
    - include_role:
        name: deploy-rhbk
        apply:
          tags:
            - prep
            - setup
            - sso
      tags:
        - prep
        - setup
        - sso
    # Ensure OpenShift OAuth is using the Keycloak.
    - include_role:
        name: setup-auth
        apply:
          tags:
            - prep
            - setup
            - auth
      tags:
        - prep
        - setup
        - auth
    # Enable user workload monitoring.
    - include_role:
        name: user-workload-monitoring
        apply:
          tags:
            - prep
            - setup
            - monitor
      tags:
        - prep
        - setup
        - monitor
    # Apply some labels to projects.
    - include_role:
        name: apply-infra-labels
        apply:
          tags:
            - prep
            - setup
            - labels
      tags:
        - prep
        - setup
        - labels
    # Deploy and configure grafana.
    - include_role:
        name: deploy-grafana
        apply:
          tags:
            - prep
            - setup
            - monitoring
      tags:
        - prep
        - setup
        - monitoring

    # Deploy and configure certmanager
    - include_role:
        name: create-certs
        apply:
          tags:
            - prep
            - setup
            - tls
      tags:
        - prep
        - setup
        - tls

    - include_role:
        name: deploy-certmanager
        apply:
          tags:
            - prep
            - setup
            - tls
      tags:
        - prep
        - setup
        - tls

# TODO: deploy logging (?)
# TODO: logging requires minio

# TODO: configure externalip (ipfailover? metallb?) range
# TODO: create a private network (nmstate + bridges?)

# Some additional configuration for infra.
- name: Ensure HAProxy on utility does not forward plaintext HTTP to OpenShift.
  hosts: utility.lab.example.com
  gather_subset: min
  become: yes
  tasks:
    - include_role:
        name: setup-ingress
        apply:
          tags:
            - prep
            - ingress
      tags:
        - prep
        - ingress
...