- name: "wg genkey {{ private_key_path }}"
  become: yes
  shell: "wg genkey | tee {{ private_key_path }} | wg pubkey > {{ public_key_path }}"
  args:
    creates: "{{ private_key_path }}"
  register: wg_private_key_gen

- name: chmod/chown keys
  become: yes
  file:
    owner: systemd-network
    group: adm
    mode: 0640
    path: "{{ item }}"
  loop:
    - "{{ private_key_path }}"
    - "{{ public_key_path }}"

- when: wg_private_key_gen.changed
  become: yes
  fetch:
    src: "{{ public_key_path }}"
    dest: "files/{{ public_keys_path }}/{{ ansible_hostname }}.pub"
    flat: true

- become: yes
  slurp:
    src: "{{ private_key_path }}"
  register: wg_private_key

- name: "Create {{ netdev_path }}"
  become: yes
  notify: systemctl restart systemd-networkd
  copy:
    owner: systemd-network
    group: adm
    mode: 0640
    dest: "{{ netdev_path }}"
    content: |
      [NetDev]
      Name={{ wireguard_if }}
      Kind=wireguard
      Description=Wireguard VPN ({{ wireguard_if }})

      [WireGuard]
      PrivateKey={{ wg_private_key['content'] | b64decode }}
      {%- if wireguard_listen_port is defined %}
      ListenPort={{ wireguard_listen_port }}
      {% endif %}
      {% for peer, data in wireguard_peers|dictsort %}
      {% if peer != ansible_hostname %}

      # {{ peer }}
      [WireGuardPeer]
      PublicKey={{ data.public_key if data.public_key is defined else lookup('file', public_keys_path + "/" + peer + ".pub") }}
      {% if data.endpoint is defined %}
      {% if data.endpoint == "auto" %}
      Endpoint={{ hostvars[peer]['ansible_host'] }}:{{ data.listen_port if data.listen_port is defined else wireguard_listen_port }}
      {% else %}
      Endpoint={{ data.endpoint }}:{{ data.listen_port if data.listen_port is defined else wireguard_listen_port }}
      {% endif %}
      {% endif %}
      {% for ip in data.allowed_ips|default([]) %}
      AllowedIPs={{ ip }}
      {% endfor %}
      PersistentKeepalive={{ data.keepalive if data.keepalive is defined else "60" }}
      {% endif %}{# skip this host #}
      {% endfor %}

- name: "Create {{ network_path }}"
  become: yes
  notify: systemctl restart systemd-networkd
  copy:
    owner: systemd-network
    group: adm
    mode: 0640
    dest: "{{ network_path }}"
    content: |
      [Match]
      Name={{ wireguard_if }}

      [Address]
      Address={{ wireguard_address4 }}

      # Routers
      {% for router in wireguard_routers %}
      {% if router.state|default("absent") == "present" %}

      [Route]
      Gateway={{ router.gateway|ipaddr('address') }}
      Destination={{ router.network }}
      {% endif %}{# state #}
      {% endfor %}

- become: yes
  systemd:
    unit: systemd-networkd
    state: started
    enabled: yes