---
- name: Validate wireguard_tunnels is defined and non-empty
  ansible.builtin.assert:
    that:
      - wireguard_tunnels is defined
      - wireguard_tunnels | length > 0
    fail_msg: |
      wireguard_tunnels must be defined with at least one tunnel.
      See roles/wireguard/defaults/main.yml for configuration instructions.
    success_msg: "wireguard_tunnels validation passed"

- name: Install wireguard
  ansible.builtin.package:
    name: "{{ wireguard_package_name }}"
    state: present

# Use systemd-resolved for DNS management (modern approach on all distributions)
# Install systemd-resolvconf to provide resolvconf compatibility wrapper
# "systemd-resolved" is prefered over "openresolv"
- name: Install systemd-resolvconf (Debian only, built into systemd on Arch)
  ansible.builtin.package:
    name: systemd-resolvconf
    state: present
  when: ansible_facts['os_family'] == 'Debian'

- name: Ensure systemd-resolved is enabled and started
  ansible.builtin.systemd:
    name: systemd-resolved
    enabled: true
    state: started

- name: Ensure wireguard configuration is only owned by root
  ansible.builtin.file:
    path: "{{ wireguard_config_base_path }}"
    owner: root
    group: root
    mode: "0700"
    recurse: true

- name: Configure tunnel
  ansible.builtin.include_tasks: tunnel.yml
  loop: "{{ wireguard_tunnels }}"
  loop_control:
    loop_var: _tunnel