---
- name: Ensure keys are generated
  shell: umask 077 && wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey
  args:
    creates: /etc/wireguard/publickey
  register: key_generation
  notify:
    - Restart Wireguard service

- name: Register private key
  slurp:
    src: /etc/wireguard/privatekey
  register: private_key_slurp

- name: Set private key variable
  set_fact:
    private_key: "{{ private_key_slurp.content | b64decode }}"

- name: Register public key
  slurp:
    src: /etc/wireguard/publickey
  register: public_key_slurp

- name: Set public key variable
  set_fact:
    public_key: "{{ public_key_slurp.content | b64decode }}"

- name: Ensure Wireguard client is configured
  template:
    src: templates/wireguard_client.conf
    dest: "/etc/wireguard/{{ interface_name }}.conf"
    backup: yes
  notify:
    - Restart Wireguard service

- name: Ensure UFW firewall rule exists
  ufw:
    rule: allow
    port: "{{ vpnes_port }}"
    comment: 'Wireguard client listener'
    proto: udp
  notify:
    - Restart Wireguard service

- name: Show public key reminder
  debug:
    msg: "Remember to add this host '{{ inventory_hostname }}'' public key to the inventory '{{ public_key }}'"
  when: key_generation.changed

# - name: Ensure cron to ping VPN server exists
#   cron:
#     name: Ping Hiljainen
#     state: absent
#     job: ping -c 3 192.168.2.4 &> /dev/null
#     hour: '1'
#     user: gestor

# - name: Ensure service unit to ping server exists
#   template:
#     src: templates/ping_wg_server.service.j2
#     dest: '/etc/systemd/system/ping_wg_server.service'
#     backup: yes

# - name: Ensure timer unit to ping server exists
#   template:
#     src: templates/ping_wg_server.timer.j2
#     dest: '/etc/systemd/system/ping_wg_server.timer'
#     backup: yes

# - name: Ensure ping systemd service unit is enabled
#   systemd:
#     name: ping_wg_server.service
#     enabled: false
#     daemon_reload: true
#     masked: false

# - name: Ensure ping systemd timer unit is enabled
#   systemd:
#     name: ping_wg_server.timer
#     state: started
#     enabled: false
#     daemon_reload: true
#     masked: false

- name: Get host public IP
  uri:
    url: https://api.ipify.org?format=json
  register: pub_ip

- name: Allow traffic to server
  ufw:
    rule: allow
    from: "{{ pub_ip.json.ip }}"
  delegate_to: "{{ groups['wireguard_server'][0] }}"
  notify:
    - Restart Wireguard service

- name: Ping VPN server for monitoring
  shell: "ping -c 3 -4 {{ server_address }}"
  register: ping_result