---
- name: Wireguard config
  hosts: tamriel
  remote_user: ansible_worker
  become: yes
  vars_files:
  - secrets.yml
  tasks:
  - name: install wireguard
    apt:
      name: wireguard
  - name: IPv4 forwarding
    sysctl:
      name: net.ipv4.ip_forward
      value: "1"
      state: present
  - name: ARP proxy
    sysctl:
      name: net.ipv4.conf.all.proxy_arp
      value: "1"
      state: present

  - name: Enable systemd-networkd
    systemd:
      enabled: true
      state: started
      name: systemd-networkd

  - name: Generate wireguard config
    template:
      src: templates/wg.netdev.j2
      dest: /etc/systemd/network/30-wg0.netdev
      owner: root
      group: systemd-network
      mode: "640"
  - name: Generate networkd config
    template:
      src: templates/wg.network.j2
      dest: /etc/systemd/network/30-wg0.network

  - name: Remove interface #systemd-networkd doesn't reload netdev
    shell: ip link del dev wg0 || true

      
  - name: Restart systemd-networkd
    systemd:
      state: restarted
      name: systemd-networkd

  - iptables:
      chain: INPUT
      match: conntrack
      ctstate: ["RELATED","ESTABLISHED"]
      jump: ACCEPT
  - iptables:
      chain: FORWARD
      match: conntrack
      ctstate: ["RELATED","ESTABLISHED"]
      jump: ACCEPT
  - iptables:
      chain: FORWARD
      in_interface: wg0
      out_interface: wg0
      match: conntrack
      ctstate: ["NEW"]
      jump: ACCEPT
      
  - iptables:
      chain: FORWARD
      in_interface: wg0
      jump: ACCEPT
  - iptables:
      table: nat
      chain: POSTROUTING
      out_interface: ens2
      jump: MASQUERADE