---

- name: Check for debian major version
  assert:
    that: "ansible_distribution_major_version is version_compare('10', '>=')"
    msg: "This role requires at least Debian Buster"

- name: Install wireguard using apt
  apt:
    name:
      - wireguard
    state: present

- name: Upgrade systemd to backports (required for buster)
  apt:
    default_release: buster-backports
    name:
      - libpam-systemd
      - libsystemd0
      - systemd
    state: latest # required to trigger update
  when: "ansible_distribution_major_version == '10'"

- name: Create wireguard configuration directory
  file:
    state: directory
    path: "{{ global_wireguard_configuration_directory }}"
    owner: root
    group: "{{ global_systemd_network_system_user }}"
    mode: u=rwx,g=rx,o=rx

- name: Create wireguard key directory
  file:
    state: directory
    path: "{{ wireguard_key_directory }}"
    owner: root
    group: "{{ global_systemd_network_system_user }}"
    mode: u=rwx,g=rx,o=

- name: Generate key pair
  shell: >-
    wg genkey
    | tee {{ wireguard_private_key | quote }}
    | wg pubkey > {{ wireguard_public_key | quote }}
  args:
    chdir: "{{ wireguard_key_directory }}"
    creates: "{{ wireguard_public_key }}"

- name: Secure key to prevent logging
  file:
    state: file
    path: "{{ wireguard_private_key }}"
    owner: root
    group: "{{ global_systemd_network_system_user }}"
    mode: u=rwx,g=rx,o=

- name: Download wireguard public key
  fetch:
    src: "{{ wireguard_public_key }}"
    dest: "{{ global_wireguard_public_directory }}/{{ inventory_hostname }}"
    fail_on_missing: yes
    flat: yes
    validate_checksum: yes

- name: Store peer configuration locally
  template:
    src: peer.conf
    dest: "{{ global_wireguard_peers_directory }}/{{ inventory_hostname }}"
    owner: "{{ local_user }}"
    group: "{{ local_user }}"
    mode: "u=rw,g=r,o="
  delegate_to: localhost

- name: Configure systemd for WireGuard
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: "{{ global_systemd_network_system_user }}"
    mode: u=rw,g=r,o=
  loop:
    - src: wg.netdev
      dest: "{{ netdev_file }}"
    - src: wg.network
      dest: "{{ network_file }}"
  notify:
    - restart systemd network

- name: Create directory for systemd WireGuard network
  file:
    state: directory
    path: "{{ netdev_directory }}"
    owner: root
    group: "{{ global_systemd_network_system_user }}"
    mode: u=rwx,g=rx,o=