---
- name: Validate required variables are set
  ansible.builtin.assert:
    that:
      - wireguard_address is defined
      - wireguard_address | length > 0
      - wireguard_dns is defined
      - wireguard_dns | length > 0
    fail_msg: |
      wireguard_address and wireguard_dns are required.
      See roles/wireguard/defaults/main.yml for configuration instructions.
    success_msg: "Variable validation passed"

- name: Install wireguard
  ansible.builtin.package:
    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"
    state: present

# Use systemd-resolved for DNS management (modern approach on all distributions)
# Install systemd-resolvconf to provide resolvconf compatibility wrapper
# "systemd-resolved" is prefered over "openresolv"
- name: Install systemd-resolvconf
  ansible.builtin.package:
    name: systemd-resolvconf
    state: present

- name: Ensure systemd-resolved is enabled and started
  ansible.builtin.systemd:
    name: systemd-resolved
    enabled: true
    state: started

- name: Ensure wireguard configuration is only owned by root
  ansible.builtin.file:
    path: "{{ wireguard_config_base_path }}"
    owner: root
    group: root
    mode: "0700"
    recurse: true

- name: Check if private key exists
  ansible.builtin.stat:
    path: "{{ wireguard_config_base_path }}/privatekey"
  register: pkey_file

- name: Generate wireguard keys if not present
  ansible.builtin.shell: wg genkey | tee {{ wireguard_config_base_path }}/privatekey | wg pubkey > {{ wireguard_config_base_path }}/publickey
  when: not pkey_file.stat.exists

- name: Retrieve wireguard private key from file
  ansible.builtin.slurp:
    src: "{{ wireguard_config_base_path }}/privatekey"
  register: private_key

- name: Set wireguard private key
  ansible.builtin.set_fact:
    wireguard_private_key: "{{ private_key['content'] | b64decode }}"

- name: Disable "dns=" instruction if unbound is used to avoid race conditions at startup
  ansible.builtin.set_fact:
    wireguard_dns:
  when: unbound_custom_lan_records is defined

- name: Install wireguard config
  ansible.builtin.template:
    src: wireguard.conf.j2
    dest: /etc/wireguard/{{ wireguard_interface }}.conf

- name: Create systemd override directory for wg-quick
  ansible.builtin.file:
    path: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d
    state: directory
    mode: "0755"

- name: Deploy systemd override for network dependency
  ansible.builtin.template:
    src: systemd-override.conf.j2
    dest: /etc/systemd/system/wg-quick@{{ wireguard_interface }}.service.d/network-dependency.conf
    mode: "0644"
  notify: Reload systemd

- name: Configure the firewall for wireguard
  community.general.ufw:
    rule: allow
    port: "{{ wireguard_port }}"
    proto: udp
    direction: in
    comment: Wireguard VPN
  retries: 5
  delay: 2
  register: ufw_result
  until: ufw_result is succeeded

- name: Start and enable service
  ansible.builtin.service:
    name: wg-quick@{{ wireguard_interface }}
    state: started
    enabled: true
    daemon_reload: true