---
- name: Ensure keys are generated
  shell: umask 077 && wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
  args:
    creates: /etc/wireguard/publickey
  register: key_generation
  notify:
    - Restart Wireguard service

- name: Register private key
  slurp:
    src: /etc/wireguard/privatekey
  register: private_key_slurp

- name: Set private key variable
  set_fact:
    private_key: "{{ private_key_slurp.content | b64decode | trim}}"

- name: Register public key
  slurp:
    src: /etc/wireguard/publickey
  register: public_key_slurp

- name: Set public key variable
  set_fact:
    public_key: "{{ public_key_slurp.content | b64decode }}"

- name: Ensure Wireguard client is configured
  template:
    src: templates/wireguard_client.conf
    dest: "/etc/wireguard/{{ interface_name }}.conf"
    backup: yes
  notify:
    - Restart Wireguard service

- name: Ensure UFW firewall rule exists
  ufw:
    rule: allow
    port: "{{ listenport }}"
    comment: 'Wireguard client listener'
    proto: udp
  notify:
    - Restart Wireguard service

- name: Show public key reminder
  debug:
    msg: "Remember to add this host '{{ inventory_hostname }}'' public key to the inventory '{{ public_key }}'"
  when: key_generation.changed

- name: Get host public IP
  uri:
    url: https://api.ipify.org?format=json
  register: pub_ip

# - name: Allow traffic to server
#   ufw:
#     rule: allow
#     from: "{{ pub_ip.json.ip }}"
#   delegate_to: "{{ groups['wireguard_server'][0] }}"
#   notify:
#     - Restart Wireguard service
#     - Ping Wireguard server


- name: Configure peers hosts file entry (from wg_address)
  lineinfile:
    path: /etc/hosts
    regexp: "^{{ hostvars[item]['wg_address'] | regex_replace('/.*$', '')}} "
    line: "{{ hostvars[item]['wg_address'] | regex_replace('/.*$', '')}} {{ item }}.{{ vpn_domain }}"
    backup: true
    create: true
  loop: "{{ groups['wireguard_clients'] }}"
  when: "'wg_address' in hostvars[item]"

- name: Configure peers hosts file entry (from allowed IPs)
  lineinfile:
    path: /etc/hosts
    regexp: "^{{ hostvars[item]['AllowedIPs'] | regex_replace('/.*$', '')}} "
    line: "{{ hostvars[item]['AllowedIPs'] | default('') | regex_replace('/.*$', '')}} {{ item }}.{{ vpn_domain }}"
    backup: true
    create: true
  loop: "{{ groups['wireguard_clients'] }}"
  when: "'wg_address' not in hostvars[item]"