- name: configure and enable dnsmasq if enabled
  when: enable_dnsmasq | bool
  block:
    - name: install dnsmasq
      apt:
        name: dnsmasq
        state: present
        update_cache: true

    - name: remove existing /etc/dnsmasq.d directory and all contents
      file:
        path: /etc/dnsmasq.d
        state: absent

    - name: recreate empty /etc/dnsmasq.d directory
      file:
        path: /etc/dnsmasq.d
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: deploy dnsmasq config from template
      template:
        src: vmbr1.conf.j2
        dest: /etc/dnsmasq.d/vmbr1.conf
        owner: root
        group: root
        mode: '0644'

    - name: ensure dnsmasq group exists
      group:
        name: dnsmasq
        system: yes

    - name: ensure dnsmasq user exists
      user:
        name: dnsmasq
        group: dnsmasq
        system: yes
        create_home: no

    - name: insert dhcp allow rules for vmbr1 into /etc/ufw/before.rules
      blockinfile:
        path: /etc/ufw/before.rules
        block: |
          -A ufw-before-input -i vmbr1 -p udp --dport 67 -j ACCEPT
          -A ufw-before-output -o vmbr1 -p udp --sport 67 -j ACCEPT
        marker: "# {mark} ANSIBLE MANAGED DHCP VMBR1 ALLOW RULES"
        insertafter: '^# End required lines'

    - name: enable and restart dnsmasq service
      systemd:
        name: dnsmasq
        enabled: true
        state: restarted
      when: ansible_service_mgr == 'systemd'