---
- name: Ensure keys are generated
  shell: umask 077 && wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
  args:
    creates: /etc/wireguard/publickey
  register: key_generation
  notify:
    - Restart Wireguard service

- name: Register private key
  slurp:
    src: /etc/wireguard/privatekey
  register: private_key_slurp

- name: Set private key variable
  set_fact:
    private_key: "{{ private_key_slurp.content | b64decode }}"

- name: Register public key
  slurp:
    src: /etc/wireguard/publickey
  register: public_key_slurp

- name: Set public key variable
  set_fact:
    public_key: "{{ public_key_slurp.content | b64decode }}"

- name: Ensure Wireguard client is configured
  template:
    src: templates/wireguard_client.conf
    dest: "/etc/wireguard/{{ interface_name }}.conf"
    backup: yes
  notify:
    - Restart Wireguard service

- name: Ensure UFW firewall rule exists
  ufw:
    rule: allow
    port: "{{ vpnes_port }}"
    comment: 'Wireguard client listener'
    proto: udp

- name: Show public key reminder
  debug:
    msg: "Remember to add this host '{{ inventory_hostname }}'' public key to the inventory '{{ public_key }}'"
  when: key_generation.changed

- name: Ensure cron to ping VPN server exists
  cron:
    name: Ping Hiljainen
    state: absent
    job: ping -c 3 192.168.2.4 &> /dev/null
    hour: '1'
    user: gestor

- name: Ensure service unit to ping server exists
  template:
    src: templates/ping_wg_server.service.j2
    dest: '/etc/systemd/system/ping_wg_server.service'
    backup: yes

- name: Ensure timer unit to ping server exists
  template:
    src: templates/ping_wg_server.timer.j2
    dest: '/etc/systemd/system/ping_wg_server.timer'
    backup: yes

- name: Ensure ping systemd service unit is enabled
  systemd:
    name: ping_wg_server.service
    enabled: true
    daemon_reload: true
    masked: false

- name: Ensure ping systemd timer unit is enabled
  systemd:
    name: ping_wg_server.timer
    state: started
    enabled: true
    daemon_reload: true
    masked: false

- name: Get host public IP
  uri:
    url: https://api.ipify.org?format=json
  register: pub_ip

- name: Allow traffic to server
  ufw:
    rule: allow
    from: "{{ pub_ip.json.ip }}"
  delegate_to: "{{ groups['wireguard_server'][0] }}"