---
- name: Gather instance facts
  setup:

- include_tasks: "setup-{{ ansible_distribution|lower }}.yml"

- name: Install WireGuard
  package:
    name: "{{ packages }}"
    state: present
  vars:
    packages:
    - wireguard-dkms
    - wireguard-tools
  tags:
    - wg-install
    - skip_ansible_lint

- name: Enable WireGuard kernel module
  modprobe:
    name: wireguard
    state: present
  register: wireguard_module_enabled
  until:  wireguard_module_enabled is succeeded
  retries: 10
  delay: 10
  failed_when: wireguard_module_enabled is failure
  tags:
    - wg-install

- name: Create WireGuard public key directory locally
  file:
    dest: "{{ wireguard_cert_directory }}"
    state: directory
    owner: "{{ wireguard_cert_owner }}"
    group: "{{ wireguard_cert_group }}"
    mode: 0755
  run_once: true
  delegate_to: localhost
  tags:
    wg-generate-keys

- name: Set WireGuard IP (without mask)
  set_fact:
    wireguard_ip: "{{ wireguard_address.split('/')[0] }}"

- name: Set path to public key file
  set_fact:
    public_key_file_path: "{{ wireguard_cert_directory }}/{{ inventory_hostname }}.public.key"
  tags:
    wg-generate-keys

- name: Register if config/private key already exists on target host
  stat:
    path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
  register: config_file_stat
  tags:
    - wg-generate-keys

- block:
  - name: Generate WireGuard private key
    shell: "wg genkey"
    register: wg_private_key_result
    tags:
      - wg-generate-keys
      - skip_ansible_lint

  - name: Generate WireGuard public key
    shell: "echo '{{ wg_private_key }}' | wg pubkey"
    register: wg_public_key_result
    tags:
      - wg-generate-keys

  - name: Set public key fact
    set_fact:
      wg_public_key: "{{ wg_public_key_result.results[0].stdout }}"
    tags:
      - wg-generate-keys

  - name: Store hosts public key locally
    template:
      src: "wg-publickey.j2"
      dest: "{{ public_key_file_path }}"
      owner: "{{ wireguard_cert_owner }}"
      group: "{{ wireguard_cert_group }}"
      mode: 0644
    delegate_to: localhost
    tags:
      - wg-generate-keys
  when: not config_file_stat.stat.exists

- name: Read WireGuard config file
  slurp:
    src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
  register: wg_config

- name: Read private key
  set_fact:
    private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
  tags:
    wg-config

- name: Read public key
  set_fact:
    public_key: "{{ lookup('file', public_key_file_path) }}"
  tags:
    wg-config

- name: Create WireGuard configuration directory
  file:
    dest: "{{ wireguard_remote_directory }}"
    state: directory
    mode: 0700
  tags:
    - wg-config

- name: Generate WireGuard configuration file
  template:
    src: wg.conf.j2
    dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf"
    owner: root
    group: root
    mode: 0600
  tags:
    - wg-config
  notify:
    - restart wireguard
 
- name: Start and enable WireGuard service
  service:
    name: "wg-quick@{{ wireguard_interface }}"
    state: started
    enabled: yes

- name: Look for local private key
  find:
    paths: "{{ wireguard_cert_directory }}"
    patterns: "*.private.key"
  register: local_private_key_to_delete
  delegate_to: localhost
  run_once: true

- name: Delete local private key
  file:
    path: "{{ item.path }}"
    state: absent
  with_items: "{{ local_private_key_to_delete.files }}"
  delegate_to: localhost
  run_once: true