feat(_universal): network-aware bridge create + cloud-init (slices 4/5)

[pparage]

What

Makes the _universal scenario honor topology-defined networks instead of hardcoding the 192.168.{bridge_base + team_id} scheme.

Slice 4 — network_create_idempotent.yml: replaces the hard assert (which blocked deploys unless an operator had pre-created every bridge) with create-if-missing:

• Reads backend-resolved bridge/cidr/gateway from r42_network_map (inventory all.vars).
• Stages the bridge via the proxmox-controller network_add_interfaces_node API, applies it via the Proxmox API reload (PUT), and ensures NAT through the idempotent ansible.builtin.iptables module.
• Falls back to the legacy r42_*_for_team scheme when a network carries no explicit values → existing topologies unchanged.

Slice 5 — vm_provision.yml: cloud-init ip/netmask/gateway/bridge now read the backend-resolved values from inventory hostvars (ansible_host / r42_ci_netmask / r42_ci_gateway / r42_net_bridge), with a legacy fallback. Also FQCN-normalizes the existing include_role calls.

Why this shape (single source of truth)

The playbook previously had its own expansion (r42_expand_per_team + r42_*_for_team filters) that ignored the topology's cidr/gateway — a third copy of the expansion logic alongside the TS and Python expand_replication. This PR moves resolution to the backend (inventory_writer), so the playbook only consumes resolved values. No 4th renderer.

Dependency (cross-repo)

Requires range42-backend-api changes that emit r42_network_map + per-host r42_ci_* vars (branch feature/network-provisioning, builds on the #84 schema/expander reconciliation and #73 inventory CIDR-derivation). Merge/validate that first.

⚠️ NEEDS LIVE VALIDATION before merge

These tasks touch live Proxmox host networking and cannot be tested offline. A reversible API spike on pve01 already proved bridge create + reload works and that a naive post-up iptables -A re-appends duplicate MASQUERADE rules on reload (hence the idempotent iptables module here). Still to verify on a real 2-VM deploy:

• Fresh bridge: create → reload applies it without disturbing vmbr0/existing bridges.
• NAT MASQUERADE present once (no duplicates) and VM reaches the internet.
• Cloud-init IP equals the inventory ansible_host (so Ansible can reach the VM).
• A canvas-drawn custom CIDR (e.g. 10.x.0.0/16) is honored end-to-end.
• Open question — NAT persistence: the iptables rule is applied at runtime; persistence across a host reboot is a tracked follow-up (the existing bridges persist NAT via post-up, which is the non-idempotent path we're avoiding).

Offline verification done

• ansible-lint (production profile): 0 failures on both changed files.
• ansible-playbook --syntax-check on _universal/main.yml: passes.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 46b243aa82

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Propagate topology beyond localhost

This loop runs in a later play on proxmox-cli, but topology and the defaulted team_count are created with set_fact only for localhost in the first play. Unless those same variables are also supplied as inventory/extravars, the first provisioning play fails with topology undefined before any network or VM work starts; use hostvars['localhost'], play vars, or delegate/cache the facts for the target hosts.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Reapply NAT when a bridge already exists

Because the NAT task is inside the when: _expected_bridge not in existing_bridges block, reruns skip MASQUERADE for any bridge that already exists. This breaks the documented create-if-missing path when an operator pre-created the bridge, a previous attempt created it but failed before NAT, or the host rebooted and lost the runtime iptables rule; the idempotent iptables task should run regardless of whether the bridge had to be created.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Handle shared networks in legacy fallback

For a shared network without explicit r42_network_map values, net_item.team_id is None, and Ansible's default(0) does not replace defined null values before the custom filters run. That sends None into r42_bridge_for_team / r42_subnet_for_team, whose int(team_id) raises, so the promised legacy fallback fails for shared-scope networks; use an explicit is none branch or default(0, true).

Useful? React with 👍 / 👎.

[pparage]

@hyde-repo I will test before your check

[pparage]

Addressed the Codex review in 3144f52: (1) relay topology/team_count to the proxmox-cli plays (set_fact on localhost is host-scoped) + backend now passes team_count as an extravar; (2) idempotent NAT MASQUERADE now runs unconditionally (pre-existing bridges + post-reboot need it); (3) default(0, true)/default('shared', true) so shared-scope networks don't pass None into the int-based filters. Validating live next.

[pparage]

hey ben quick context on why these playbook changes

the old _universal just asserted the bridges already existed and made you pre-create vmbr140-151 by hand before any deploy. and it hardcoded every ip/gateway/bridge to the 192.168.{bridge_base+team} scheme, so whatever network you actually drew in the ui (custom cidr etc) got thrown away. whole point here is to make the canvas mean something.

instead of teaching the playbook to render the network templates itself which would've been a 3rd copy of the expand logic sitting next to the ts and python ones, basically guaranteed to drift the backend now resolves everything and hands it over. there's an r42_network_map in the inventory plus per-host r42_ci_* vars, and the playbook just reads those. single source of truth.

so network_create_idempotent now: if the bridge is missing it creates it from the resolved cidr/gateway, applies it via the proxmox api reload, then ensures the NAT rule. the NAT goes through the ansible iptables module on purpose i ran a spike on pve01 and the old post-up iptables -A ... MASQUERADE re-appends a duplicate rule on every reload. the host was already sitting at ~7 dupe masquerade rules per subnet. the iptables module is idempotent so it stops that.

vm_provision: cloud-init ip/netmask/gw/bridge now come from the inventory hostvars the backend wrote instead of recomputing the hardcoded scheme. falls back to the old scheme if a topology doesn't carry the values, so nothing existing breaks.

the last commit is review fixes (thanks codex): topology was only set_fact'd on localhost so the proxmox-cli plays couldn't see it and would've died right away, the NAT task was stuck inside the create-only block so it skipped pre-existing bridges, and shared networks crashed passing None into the int filters.

still needs a real 2-vm deploy to actually validate the create+reload+nat path, can't test that offline. NAT persistence across a host reboot is a separate follow-up (runtime rule for now). backend half is range42-backend-api#98.

I will test it and once OK i'll tell you and have it reviewed by you let me know your thoughts!

[pparage]

Live validation on pve01 (slice 4)

Ran network_create_idempotent.yml directly against the real Proxmox host with a throwaway bridge (vmbr177, 10.77.0.0/24), via r42_network_map. Fully reverted afterwards (host restored to baseline, net change zero).

Works ✅

• Bridge created from the resolved map: vmbr177 came up 10.77.0.1/24.
• API reload applied it; vmbr0/vmbr142 and all VMs untouched.
• NAT MASQUERADE added for the subnet (correct comment/source).
• Re-deploy idempotency: re-running with the bridge already present skips create and the iptables module adds no duplicate → MASQUERADE count unchanged. The "NAT always runs, unconditionally" review fix is confirmed.

Caught a real issue ⚠️ (corrected the code comment in 76c3614)

• Creating a new bridge took MASQUERADE 86 → 99 (+13), not +1. The idempotent iptables module protects our rule, but the Proxmox API reload (PUT) re-runs the existing bridges' legacy post-up iptables -A hooks, re-appending +12 duplicates. So the accumulation is bounded to +N per new bridge (re-deploys are clean), but not eliminated. Proper fix is systemic — make the host bridges' NAT idempotent / move out of post-up (backend chg: Adapted lab to deploy the containers #82/fix(scenarios): parameterize cloud-init DNS instead of hardcoding 1.1.1.1 #85), or apply only the new iface instead of a global reload.

Infra gaps that block the full backend-driven deploy (pre-existing, not this PR)

• The deployer VM has no root SSH key to pve01, so the proxmox-cli plays can't run from the backend.
• The generated/static inventory carries no real Proxmox API token (CHANGE_ME).
• No Project/Source data is set up for a _universal deployment.

So slice 4's logic is validated against real Proxmox; the end-to-end backend path needs the above wiring before it can run unattended.

[pparage]

Re-targeted from feature/gamenet-authoring-v1 (stale: last commit May 8, superseded by dev) to dev, so the current _universal network-provisioning state can be deployed and tested directly.

Pairs with range42-backend-api#98 (also into dev) — that one emits r42_network_map + per-host r42_ci_* vars that these tasks consume, so deploy both together. The NEEDS LIVE VALIDATION checklist in the description above is the hands-on test plan (fresh bridge create/reload, single MASQUERADE, cloud-init IP == inventory ansible_host, custom CIDR honored end-to-end).

Note: this is the vmbr + iptables 'first draft' approach, not the SDN direction under discussion.