- hosts:
  - knot
  vars_files:
    - strongswan-vars.yml
  vars:
    peers:
      - arius
  handlers:
    - name: systemctl restart strongswan
      become: true
      systemd:
        name: strongswan
        state: restarted
  tasks:
    - become: true
      block:
        - name: packages
          apt:
            name: "{{ item }}"
            install_recommends: no
          with_items:
            - strongswan-swanctl
        - name: install certs
          with_items: "{{ peers }}"
          copy:
            src=swanctl/{{ item }}/rsa/{{ item }}-key.der
            dest=/etc/swanctl/rsa/{{ item }}-key.der
        - name: install swanctl.conf
          notify: systemctl restart strongswan
          copy:
            dest: /etc/swanctl/conf.d/trygvis.io.conf
            content: |
              connections {

                 rw {
                    local_addrs  = fec0::1

                    local {
                       auth = pubkey
                       certs = moonCert.pem
                       id = moon.strongswan.org
                    }
                    remote {
                       auth = pubkey
                    }
                    children {
                       net {
                          local_ts  = {{ strongswan_ts }}

                          updown = /usr/local/libexec/ipsec/_updown iptables
                          esp_proposals = aes128-sha256-x25519
                       }
                    }
                    version = 2
                    proposals = aes128-sha256-x25519
                 }
              }

              authorities {
                 strongswan {
                    #cacert = caCert.pem
                    #crl_uris = http://ip6-winnetou.strongswan.org/strongswan.crl
                    cacert = ca-cert.der
                    crl_uris =
                 }
              }