---
- name: Ensure Wireguard server is configure
  template:
    src: templates/wireguard_server.conf
    dest: "/etc/wireguard/{{ interface_name }}.conf"
  notify:
    - Restart Wireguard service

- name: Ensure UFW firewall rule exists
  ufw:
    rule: allow
    port: "{{ listenport }}"
    comment: 'Wireguard server listener'
    proto: udp

- name: Ensure UFW firewall routes
  ufw:
    default: allow
    direction: routed

- name: Ensure IPv4 forwarding works
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes

- name: Ensure IPv6 forwarding works
  sysctl:
    name: net.ipv6.conf.all.forwarding
    value: '1'
    sysctl_set: yes

- name: Ensure Wireguard service is running for {{ interface_name }}
  systemd:
    name: "wg-quick@{{ interface_name }}"
    state: started
    daemon_reload: yes

- name: Ensure VPN traffic is enabled
  ufw:
    from_ip: 192.168.2.0/24
    rule: allow