---
- name: Ensure keys are generated
  shell: umask 077 && wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
  args:
    creates: /etc/wireguard/publickey
  notify:
    - Restart Wireguard service

- name: Register private key
  slurp:
    src: /etc/wireguard/privatekey
  register: private_key_slurp

- name: Set private key variable
  set_fact:
    private_key: "{{ private_key_slurp.content | b64decode }}"

- name: Register public key
  slurp:
    src: /etc/wireguard/publickey
  register: public_key_slurp

- name: Set public key variable
  set_fact:
    public_key: "{{ public_key_slurp.content | b64decode }}"

- name: Ensure git repository is cloned and updated
  git:
    repo: ssh://git@repos.susurrando.com:1122/srv/git.repos/wireguard_peers.git
    dest: /var/lib/from_repos/wireguard_peers
    update: true
    force: true

# [Peer]
# PublicKey = TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0=
# Endpoint = [2607:5300:60:6b0::c05f:543]:2468
# AllowedIPs = 10.192.122.4/32, 192.168.0.0/16

- name: Ensure there is a folder in the repo for the VPN interface
  file:
    state: directory
    path: "/var/lib/from_repos/wireguard_peers/{{ interface_name }}"

- name: Set public key to peer conf file
  ini_file:
    path: "/var/lib/from_repos/wireguard_peers/{{ interface_name }}/{{ inventory_hostname }}.conf"
    section: Peer
    option: PublicKey
    value: "{{ public_key | replace('\n', '')}}"
    create: true
    backup: true

- name: Set allowed IPs to peer conf file
  ini_file:
    path: "/var/lib/from_repos/wireguard_peers/{{ interface_name }}/{{ inventory_hostname }}.conf"
    section: Peer
    option: AllowedIPs
    value: "{{ vpnes_ip }}/32"
    create: true
    backup: true

- name: Set end point to peer conf file
  ini_file:
    path: "/var/lib/from_repos/wireguard_peers/{{ interface_name }}/{{ inventory_hostname }}.conf"
    section: Peer
    option: Endpoint
    value: "{{ ansible_host }}:{{ vpnes_port }}"
    create: true
    backup: true

- name: Create commit with changes to repo of peers
  shell: "git add . && git commit -am 'Update {{ inventory_hostname }}' && git push -f"
  args:
    chdir: '/var/lib/from_repos/wireguard_peers/'

- name: Ensure Wireguard client is configured
  shell: "/var/lib/from_repos/wireguard_peers/update_configuration.sh '${vpnes_ip}' '${vpnes_port}'"

- name: Restart Wireguard service
  systemd:
    name: "wg-quick@{{ interface_name }}"
    state: restarted
    enabled: yes
    daemon_reload: yes

# - name: Ensure Wireguard client is configured
#   template:
#     src: templates/wireguard_client.conf
#     dest: "/etc/wireguard/{{ interface_name }}.conf"
#     backup: yes
#   notify:
#     - Restart Wireguard service

- name: Ensure UFW firewall rule exists
  ufw:
    rule: allow
    port: "{{ vpnes_port }}"
    comment: 'Wireguard client listener'
    proto: udp

# - name: Get public key
#   slurp:
#     src: /etc/wireguard/publickey
#   register: public_key

# - name: Show public key reminder
#   debug:
#     msg: "Remember to add this host '{{ inventory_hostname }}'' public key to the inventory '{{ public_key.content | b64decode }}'"

- name: Ensure cron to ping VPN server exists
  cron:
    name: Ping VPN server
    job: ping -c 3 192.168.2.4 &> /dev/null
    hour: '1'
    user: gestor