- name: Install Wireguard
  apt: name={{ item }} state=latest update_cache=yes
  with_items:
    - wireguard


- name: Register if config/private key already exists on target host
  ansible.builtin.stat:
    path: /etc/wireguard/vpn01.conf
  register: wireguard__register_config_file
  tags:
    - wg-generate-keys
    - wg-config

- name: WireGuard private key handling for new keys
  block:
    - name: Generate WireGuard private key
      ansible.builtin.command: "wg genkey"
      register: wireguard__register_private_key
      changed_when: false
      tags:
        - wg-generate-keys

    - name: Set private key fact
      ansible.builtin.set_fact:
        wireguard_private_key: "{{ wireguard__register_private_key.stdout }}"
      tags:
        - wg-generate-keys
  when:
    - not wireguard__register_config_file.stat.exists
    - wireguard_private_key is not defined

- name: WireGuard private key handling for existing keys
  block:
    - name: Read WireGuard config file
      ansible.builtin.slurp:
        src: /etc/wireguard/vpn01.conf
      register: wireguard__register_config
      tags:
        - wg-config

    - name: Set private key fact
      ansible.builtin.set_fact:
        wireguard_private_key: "{{ wireguard__register_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
      tags:
        - wg-config
  when:
    - wireguard__register_config_file.stat.exists
    - wireguard_private_key is not defined

- name: Derive WireGuard public key
  ansible.builtin.command: "wg pubkey"
  args:
    stdin: "{{ wireguard_private_key }}"
  register: wireguard__register_public_key
  changed_when: false
  check_mode: false
  tags:
    - wg-config

- name: Set public key fact
  ansible.builtin.set_fact:
    wireguard__fact_public_key: "{{ wireguard__register_public_key.stdout }}"
  tags:
    - wg-config

- name: Create WireGuard configuration directory
  ansible.builtin.file:
    dest: /etc/wireguard/
    state: directory
    mode: 0700
  tags:
    - wg-config

- name: Generate WireGuard configuration file
  ansible.builtin.template:
    src: wg.conf.j2
    dest: /etc/wireguard/vpn01.conf
    owner: root
    group: root
    mode: 755
  tags:
    - wg-config
  notify:
    - reconfigure wireguard

- name: Copy PostUp Script
  ansible.builtin.copy:
    src: postup.sh
    dest: /etc/wireguard/postup.sh
    mode: 755
  tags:
    - wg-config
  notify:
    - reconfigure wireguard

- name: Start and enable WireGuard service
  ansible.builtin.service:
    name: "wg-quick@vpn01"
    state: started
    enabled: yes