# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe <https://fsfe.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

---
- name: Gather which packages are installed on the server
  tags: [update, uninstall]
  package_facts:
    manager: auto

- name: Make sure needed packages for innernet and wireguard are installed
  apt:
    package:
      - python3-pexpect
      - rsync
      - sqlite3
      - wireguard
      - wireguard-tools
      - ufw

- name: Remove existing innernet configuration
  tags: [never, uninstall]
  expect:
    command: "innernet-server uninstall {{ network_name }}"
    responses:
      (?i)delete: "yes"
  when: "'innernet-server' in ansible_facts.packages"

- name: Remove innernet package on server
  tags: [never, uninstall]
  apt:
    name: innernet-server
    state: absent
    purge: yes
  when: "'innernet-server' in ansible_facts.packages"

- name: Install innernet package on server
  tags: [update]
  block:
    - name: Copy innernet-server package to server
      tags: [update]
      synchronize:
        src: "innernet-server.deb"
        dest: "/tmp/innernet-server.deb"

    - name: Install innernet-server package
      tags: [update]
      apt:
        deb: "/tmp/innernet-server.deb"
        update_cache: true
        install_recommends: true
  # If 1. innernet-server not installed or 2. `update` tag executed
  when: "'innernet-server' not in ansible_facts.packages or 'update' in ansible_run_tags"

- name: Check if innernet network is initialised
  stat:
    path: "/etc/innernet-server/{{ network_name }}.conf"
  register: conf_file

- name: Create base network if not existent yet
  shell: |
    innernet-server new \
      --network-name "{{ network_name }}" \
      --network-cidr "{{ network_cidr }}" \
      --external-endpoint "[{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] }}]:{{ network_listen_port }}" \
      --listen-port {{ network_listen_port }}
  when: not conf_file.stat.exists

- name: Get existing CIDRs from innernet-server database
  tags: [cidr]
  shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from cidrs;"'
  register: existing_cidrs

- name: Create new CIDRs
  tags: [cidr]
  shell: |
    innernet-server add-cidr "{{ network_name }}" \
      --name "{{ item.key }}" \
      --parent "{{ item.value.parent }}" \
      --cidr "{{ item.value.cidr }}" \
      --yes
  loop: "{{ cidrs | dict2items }}"
  when:
    - item.key not in existing_cidrs.stdout_lines

# Configure manually defined peers (mostly humans)
- name: Get existing peers from innernet-server database
  shell: 'sqlite3 /var/lib/innernet-server/{{ network_name }}.db "select name from peers;"'
  register: existing_peers
  run_once: true

- name: Add manually defined peers
  include_tasks: add_peer.yml
  vars:
    peer_name: "{{ item.key }}"
    peer_cidr: "{{ item.value.cidr }}"
    peer_admin: "{{ item.value.admin | default('false') }}"
    manual: true
  loop: "{{ manual_peers | dict2items }}"
  when:
    - item.key not in existing_peers.stdout_lines

- name: Enable firewall and allow SSH
  ufw:
    state: enabled
    default: deny
    to_port: 22
    rule: allow

- name: Allow UDP traffic on WireGuard port
  ufw:
    to_port: "{{ network_listen_port_server }}"
    rule: allow

- name: Restart and enable innernet-server daemon
  tags: [update, listen_port]
  systemd:
    name: "innernet-server@{{ network_name }}"
    state: restarted
    enabled: yes
    daemon_reload: yes