# SPDX-FileCopyrightText: 2021 Free Software Foundation Europe <https://fsfe.org>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

---
- name: Install needed packages for uninstalling innernet
  tags: [never, uninstall]
  apt:
    package:
      - python3-pexpect

- name: Remove existing innernet
  tags: [never, uninstall]
  expect:
    command: "innernet uninstall {{ network_name }}"
    responses:
      (?i)delete: "yes"

- name: Install needed packages
  tags: [always, update]
  apt:
    package:
      - ufw
      - rsync
      - wireguard
      - wireguard-tools

- name: Copy package to host
  tags: [never, update]
  synchronize:
    src: "innernet.deb"
    dest: "/tmp/innernet.deb"

- name: Install package
  tags: [never, update]
  apt:
    deb: "/tmp/innernet.deb"
    update_cache: true
    install_recommends: true

- name: Copy non-admin invitation to hosts
  tags: [new_peer]
  synchronize:
    src: "{{ item.name }}.toml"
    dest: "/tmp/{{ item.name }}.toml"
  when:
    # is not existing
    - item.name not in hostvars['kaim.fsfeurope.org'].global_existing_peers.stdout_lines
    # only if filename contains a part of the hostname
    - item.name in ansible_host|replace('.', '-')
  loop: "{{ peers }}"

- name: Install non-admin invitation on hosts
  tags: [new_peer]
  shell: |
    innernet install /tmp/{{ item.name }}.toml \
      --default-name \
      --delete-invite
  when:
    # is not existing
    - item.name not in hostvars['kaim.fsfeurope.org'].global_existing_peers.stdout_lines
    # only if filename contains a part of the hostname
    - item.name in ansible_host|replace('.', '-')
  loop: "{{ peers }}"

- name: Set listen port
  tags: [listen_port]
  community.general.ini_file:
    path: "/etc/innernet/{{ network_name }}.conf"
    section: interface
    option: listen-port
    value: "{{ network_listen_port }}"
    mode: 600
    backup: yes

- name: Allow UDP traffic on WireGuard port
  tags: [listen_port, firewall]
  ufw:
    to_port: "{{ network_listen_port }}"
    rule: allow
    proto: udp

- name: Just force systemd to reread configs (2.4 and above)
  tags: [systemd, daemon]
  ansible.builtin.systemd:
    daemon_reload: yes

- name: Restart and enable innernet daemon
  tags: [systemd, daemon]
  ansible.builtin.systemd:
    name: "innernet@{{ network_name }}"
    state: restarted
    enabled: true