- tags:
    - lxc-host
    - lxc-host-network
  become: yes
  vars:
    hardware_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__hardware_if) }}"
    br_if: "{{ lxc_host__br_if }}"
    internal_if: "{{ host_database | json_query(ansible_hostname + '.interfaces.' + lxc_host__internal_if) }}"
  block:
    - debug: var=hardware_if
    - debug: var=br_if
    - debug: var=internal_if

    - name: Configure sysctl, enable ipv4 and ipv6 forwarding
      become: yes
      copy:
        dest: /etc/sysctl.d/99-lxc-host.conf
        content: |
          net.ipv4.ip_forward=1
          net.ipv6.conf.all.forwarding=1
      notify: restart sysctl

    - name: Enable UFW
      become: yes
      ufw:
        state: enabled

    - become: yes
      ufw:
        policy: allow
        direction: outgoing

    - become: yes
      ufw:
        policy: allow
        direction: routed

    - become: yes
      ufw:
        policy: deny
        direction: incoming

    - name: Enable NAT configuration through UFW
      become: yes
      notify: reload ufw
      blockinfile:
        path: /etc/ufw/before.rules
        insertbefore: "# Don't delete these required lines, otherwise there will be errors"
        block: |
          # NAT table rules
          *nat
          :POSTROUTING ACCEPT [0:0]

          # Forward traffic through eth0 - Change to match you out-interface
          -A POSTROUTING -s {{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }} -o {{ lxc_host__hardware_if }} -j MASQUERADE

          # don't delete the 'COMMIT' line or these nat table rules won't be processed
          COMMIT

    - name: enable systemd-networkd
      service:
        name: systemd-networkd
        enabled: yes
        state: started

    - name: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
      notify: systemctl restart systemd-networkd
      copy:
        dest: "/etc/systemd/network/50-0-lxc-host-{{ lxc_host__hardware_if }}.network"
        content: |
          [Match]
          Name={{ lxc_host__hardware_if }}

          [Network]
          Address={{ hardware_if.ipv4.address }}/{{ hardware_if.ipv4.netmask }}
          Gateway={{ hardware_if.ipv4.gateway }}

    - name: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev"
      notify: systemctl restart systemd-networkd
      copy:
        dest: "/etc/systemd/network/50-1-lxc-host-{{ lxc_host__internal_if }}.netdev"
        content: |
          [NetDev]
          Name={{ lxc_host__internal_if }}
          Kind=dummy

    - name: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network"
      notify: systemctl restart systemd-networkd
      copy:
        dest: "/etc/systemd/network/50-2-lxc-host-{{ lxc_host__internal_if }}.network"
        content: |
          [Match]
          Name={{ lxc_host__internal_if }}

          [Network]
          Bridge={{ br_if }}

    - name: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev"
      notify: systemctl restart systemd-networkd
      copy:
        dest: "/etc/systemd/network/50-3-lxc-host-{{ br_if }}.netdev"
        content: |
          [NetDev]
          Name={{ br_if }}
          Kind=bridge

    - name: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network"
      notify: systemctl restart systemd-networkd
      copy:
        dest: "/etc/systemd/network/50-4-lxc-host-{{ br_if }}.network"
        content: |
          [Match]
          Name={{ br_if }}

          [Network]
          Address={{ internal_if.ipv4.address }}/{{ internal_if.ipv4.netmask }}
          {% if internal_if.ipv6 is defined %}
          Address={{ internal_if.ipv6.address }}/{{ internal_if.ipv6.netmask }}
          {% endif %}