---
- name: update packages
  apt:
    update_cache: yes
    cache_valid_time: 3600
  become: yes

- name: install ufw
  apt:
    name: ufw
    state: present
  become: yes
  when: ufw_enabled

- name: Allow SSH in UFW
  ufw:
    rule: allow
    port: "{{ ansible_ssh_port }}"
    proto: tcp
  become: yes
  when: ufw_enabled

- name: Set ufw logging
  ufw:
    logging: "on"
  become: yes
  when: ufw_enabled

- name: inter-node Wireguard UFW connectivity
  ufw:
    rule: allow
    src: "{{ hostvars[item].wireguard_ip }}"
  with_items: "{{ groups['all'] }}"
  become: yes
  when: ufw_enabled and item != inventory_hostname

- name: Reject everything and enable UFW
  ufw:
    state: enabled
    policy: reject
    log: yes
  become: yes
  when: ufw_enabled

- name: enable and persist ip forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    state: present
    sysctl_set: yes
    reload: yes

- name: install wireguard
  apt:
    name: wireguard
    state: present
  become: yes

- name: generate wireguard keypair
  shell: wg genkey | tee /etc/wireguard/privatekey | wg pubkey | tee /etc/wireguard/publickey
  args:
    creates: /etc/wireguard/privatekey
  become: yes

- name: register private key
  shell: cat /etc/wireguard/privatekey
  register: wireguard_private_key
  changed_when: false
  become: yes

- name: register public key
  shell: cat /etc/wireguard/publickey
  register: wireguard_public_key
  changed_when: false
  become: yes

- name: generate preshared keypair
  shell: "wg genpsk > /etc/wireguard/psk-{{item}}"
  args:
    creates: "/etc/wireguard/psk-{{item}}"
  when: inventory_hostname < item
  with_items: "{{groups['serverctl_cluster']}}"
  become: yes

- name: register preshared key
  shell: "cat /etc/wireguard/psk-{{item}}"
  register: wireguard_preshared_key
  changed_when: false
  when: inventory_hostname < item
  with_items: "{{groups['serverctl_cluster']}}"
  become: yes

- name: message preshared keys
  set_fact: "wireguard_preshared_keys={{wireguard_preshared_keys|default({}) | combine({item.item: item.stdout})}}"
  when: item.skipped is not defined
  with_items: "{{wireguard_preshared_key.results}}"
  become: yes

- name: Setup wg0 device
  template:
    src: 'systemd.netdev'
    dest: '{{systemd_network_dir}}/99-wg0.netdev'
    owner: root
    group: systemd-network
    mode: 0640
  become: yes
  notify: systemd network restart

- name: Setup wg0 network
  template:
    src: 'systemd.network'
    dest: "{{systemd_network_dir}}/99-wg0.network"
    owner: root
    group: systemd-network
    mode: 0640
  become: yes
  notify: systemd network restart

#- name: Start and enalbe wireguard on book
#  systemd:
#    name: wg-quick@wgserverctl0
#    enabled: yes
#    state: started

#- debug: msg="{{item.1}} - {{ (wireguard_base_ipv4|ipaddr(item.0 + 1)) }}"
#  with_indexed_items: "{{groups.serverctl_mesh_nodes}}"