---
- name: Ensure wireguard is present
  apt:
    name: wireguard-tools
    state: present
    default_release: buster-backports
  register: wireguard

- name: Ensure wireguard configuration is present
  template:
    src: templates/wireguard.conf.j2
    dest: "/etc/wireguard/{{ vpn_gateway.name }}.conf"
    owner: root
    group: root
    mode: 0600
  notify: restart wireguard

- name: Enable IPv4 forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: 1
    reload: yes

- name: Reboot to allow wireguard to start
  reboot:
  when: wireguard.changed

- name: Ensure wireguard is enabled
  systemd:
    name: "wg-quick@{{ vpn_gateway.name }}.service"
    state: started
    enabled: yes

- name: Ensure the route script to be present
  template:
    src: templates/routes.sh.j2
    dest: "/usr/local/bin/routes_vpn_{{ vpn_gateway.name }}.sh"
    owner: root
    group: root
    mode: 0700

- name: Masquerade packets outgoing from vpn iface
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: "{{ vpn_gateway.iface }}"
    jump: MASQUERADE

- name: Allow packets from external iface to reach internal machine
  iptables:
    table: nat
    chain: PREROUTING
    in_interface: "{{ vpn_gateway.iface }}"
    jump: DNAT
    to_destination: "{{ vpn_gateway.peer.address }}"

- name: Create the routes helper file
  template:
    src: templates/routes.sh.j2
    dest: /usr/local/bin/vpn_routes.sh
    owner: root
    group: root
    mode: 0700

- name: Run the routes script
  shell: /usr/local/bin/vpn_routes.sh

# - name: Apply the needed routes
#   shell: |
#     ip rule add from {{ vpn_gateway.peer.address }} table {{ vpn_gateway.table|default(130) }} || true
#     ip route add to default via {{ vpn_gateway.gateway_ip }} dev {{ vpn_gateway.iface }} table {{ vpn_gateway.table|default(130) }} || true
#     ignore_errors: yes