---
- name: Wireguard config
  hosts: tamriel
  remote_user: ansible_worker
  become: yes
  vars_files:
  - secrets.yml
  tasks:
  - name: install wireguard
    apt:
      name: wireguard
  - name: IPv4 forwarding
    sysctl:
      name: net.ipv4.ip_forward
      value: "1"
      state: present
  - name: ARP proxy
    sysctl:
      name: net.ipv4.conf.all.proxy_arp
      value: "1"
      state: present


  - name: Generate wireguard config
    template:
      src: templates/wg.conf.j2
      dest: /etc/wireguard/wg0.conf


  - lineinfile:
      dest: /etc/network/interfaces
      state: present
      insertafter: "^source /etc/network/interfaces.d/*"
      line: auto wg0
  - lineinfile:
      dest: /etc/network/interfaces
      state: present
      insertafter: "^auto wg0"
      line: iface wg0 inet static
      
  - interfaces_file:
      iface: wg0
      option: address
      value: 10.0.27.1
  - interfaces_file:
      iface: wg0
      option: netmask
      value: 255.255.255.0
  - interfaces_file:
      iface: wg0
      option: pre-up
      value: ip link add $IFACE type wireguard
  - interfaces_file:
      iface: wg0
      option: pre-up
      value: wg setconf $IFACE /etc/wireguard/$IFACE.conf
  - interfaces_file:
      iface: wg0
      option: post-down
      value: ip link del $IFACE
  
  - iptables:
      chain: INPUT
      match: conntrack
      ctstate: ["RELATED","ESTABLISHED"]
      jump: ACCEPT
  - iptables:
      chain: FORWARD
      match: conntrack
      ctstate: ["RELATED","ESTABLISHED"]
      jump: ACCEPT
  - iptables:
      chain: FORWARD
      in_interface: wg0
      out_interface: wg0
      match: conntrack
      ctstate: ["NEW"]
      jump: ACCEPT
      
  - iptables:
      chain: FORWARD
      in_interface: wg0
      jump: ACCEPT
  - iptables:
      table: nat
      chain: POSTROUTING
      out_interface: ens2
      jump: MASQUERADE