- name: install wireguard and dependencies
  apt:
    name: "{{ wireguard_packages }}"
    state: present
    update_cache: yes

- name: update apt packages
  apt:
    update_cache: true

- name: install apt packages
  apt:
    name: "{{ apt_packages }}"
    state: present
    update_cache: true
  environment:
    DEBIAN_FRONTEND: noninteractive

- name: create wireguard server directory
  file:
    path: "{{ wg_server_home }}"
    state: directory
    mode: "0700"

- name: create wireguard peers directory
  file:
    path: "{{ wg_peers_home }}"
    state: directory
    mode: "0700"

- name: generate wireguard server keys
  shell:
    cmd: |
      wg genpsk > "{{ wg_server_home }}/psk.key"
      wg genkey > "{{ wg_server_home }}/server.key"
    creates: "{{ wg_server_home }}/server.key"
  args:
    chdir: "{{ wg_server_home }}"

- name: get server public key
  shell:
    cmd: wg pubkey < "{{ wg_server_home }}/server.key"
  register: server_pubkey
  changed_when: false

- name: read wireguard server.key from remote host
  slurp:
    src: "{{ wg_server_home }}/server.key"
  register: wg_key

- name: set private key from remote file
  set_fact:
    private_key: "{{ wg_key.content | b64decode }}"

- name: deploy {{ wg_server_home }}/wg0.conf
  template:
    src: wg0.conf.j2
    dest: "{{ wg_server_home }}/wg0.conf"
    mode: "0600"

- name: deploy manage_wg_peers.sh
  template:
    src: manage_wg_peers.sh.j2
    dest: /root/manage_wg_peers.sh
    mode: "0600"

- name: restart wireguard
  systemd:
    name: wg-quick@wg0.service 
    state: restarted
    enabled: true
  when: ansible_service_mgr == 'systemd'

- name: allow wg port 
  ufw:
    rule: allow
    port: "{{ wg_port }}"
    proto: udp

- name: set wg-only pveproxy config
  template:
    src: pveproxy
    dest: /etc/default/pveproxy
    mode: '0644'

- name: restart pveproxy
  systemd:
    name: pveproxy
    state: restarted
    enabled: true
  when: ansible_service_mgr == 'systemd'