---
- name: Install wireguard
  ansible.builtin.package:
    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('wireguard-tools', 'wireguard') }}"
    state: present

# to support "DNS=" if used in a "client way"
- name: Install openresolv/resolveconf
  ansible.builtin.package:
    name: "{{ (ansible_facts['os_family'] == 'Archlinux') | ternary('openresolv', 'resolvconf') }}"
    state: present

- name: Ensure wireguard configuration is only owned by root
  ansible.builtin.file:
    path: "{{ wireguard_config_base_path }}"
    owner: root
    group: root
    mode: "0700"
    recurse: true

- name: Check if private key exists
  ansible.builtin.stat:
    path: "{{ wireguard_config_base_path }}/privatekey"
  register: pkey_file

- name: Generate wireguard keys if not present
  ansible.builtin.shell: wg genkey | tee {{ wireguard_config_base_path }}/privatekey | wg pubkey > {{ wireguard_config_base_path }}/publickey
  when: not pkey_file.stat.exists

- name: Retrieve wireguard private key from file
  ansible.builtin.slurp:
    src: "{{ wireguard_config_base_path }}/privatekey"
  register: private_key

- name: Set wireguard private key
  ansible.builtin.set_fact:
    wireguard_private_key: "{{ private_key['content'] | b64decode }}"

- name: Disable "dns=" instruction if unbound is used to avoid race conditions at startup
  ansible.builtin.set_fact:
    wireguard_dns:
  when: unbound_custom_lan_records is defined

- name: Install wireguard config
  ansible.builtin.template:
    src: wireguard.conf.j2
    dest: /etc/wireguard/{{ wireguard_interface }}.conf

- name: Configure the firewall for wireguard
  community.general.ufw:
    rule: allow
    port: "{{ wireguard_port }}"
    proto: udp
    direction: in
    comment: Wireguard VPN

- name: Start and enable service
  ansible.builtin.service:
    name: wg-quick@{{ wireguard_interface }}
    state: started
    enabled: true
    daemon_reload: true