---
- name: Include public variables.
  include_vars: ../public/vars.yml
  tags: accounts
- name: Include private variables.
  include_vars: ../private/vars.yml
  tags: accounts
- name: Include members.
  include_vars: "{{ lookup('first_found', membership_rolls) }}"
  tags: accounts

- name: Install netplan (gate).
  become: yes
  apt: pkg=netplan.io

- name: Configure netplan (gate).
  become: yes
  copy:
    content: |
      network:
        ethernets:
          lan:
            match:
              macaddress: {{ gate_lan_mac }}
            addresses: [ {{ gate_addr_cidr }} ]
            set-name: lan
            dhcp4: false
            nameservers:
              addresses: [ {{ core_addr }} ]
              search: [ {{ domain_priv }} ]
            routes:
              - to: {{ public_wg_net_cidr }}
                via: {{ core_addr }}
          wild:
            match:
              macaddress: {{ gate_wild_mac }}
            addresses: [ {{ gate_wild_addr_cidr }} ]
            set-name: wild
            dhcp4: false
    dest: /etc/netplan/60-gate.yaml
    mode: u=rw,g=r,o=
  notify: Apply netplan.

- name: Install netplan (ISP).
  become: yes
  copy:
    content: |
      network:
        ethernets:
          isp:
            match:
              macaddress: {{ gate_isp_mac }}
            set-name: isp
            dhcp4: true
            dhcp4-overrides:
              use-dns: false
    dest: /etc/netplan/60-isp.yaml
    mode: u=rw,g=r,o=
    force: no
  notify: Apply netplan.

- name: Install UFW.
  become: yes
  apt: pkg=ufw

- name: Configure UFW policy.
  become: yes
  lineinfile:
    path: /etc/default/ufw
    line: "{{ item.line }}"
    regexp: "{{ item.regexp }}"
  loop:
  - { line: "DEFAULT_INPUT_POLICY=\"ACCEPT\"",
      regexp: "^DEFAULT_INPUT_POLICY=" }
  - { line: "DEFAULT_OUTPUT_POLICY=\"ACCEPT\"",
      regexp: "^DEFAULT_OUTPUT_POLICY=" }
  - { line: "DEFAULT_FORWARD_POLICY=\"DROP\"",
      regexp: "^DEFAULT_FORWARD_POLICY=" }

- name: Configure UFW NAT rules.
  become: yes
  blockinfile:
    block: |
      *nat
      :POSTROUTING ACCEPT [0:0]
      -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE
      -A POSTROUTING -s {{    wild_net_cidr }} -o isp -j MASQUERADE
      COMMIT
    dest: /etc/ufw/before.rules
    insertafter: EOF
    prepend_newline: yes

- name: Configure UFW FORWARD rules.
  become: yes
  blockinfile:
    block: |
      *filter
      -A ufw-user-forward -i lan  -o isp -j ACCEPT
      -A ufw-user-forward -i wild -o isp -j ACCEPT
      -A ufw-user-forward -i lan  -o wg0 -j ACCEPT
      -A ufw-user-forward -i wg0  -o lan -j ACCEPT
      -A ufw-user-forward -i wg0  -o wg0 -j ACCEPT
      COMMIT
    dest: /etc/ufw/user.rules
    insertafter: EOF
    prepend_newline: yes

- name: Install DHCP server.
  become: yes
  apt: pkg=isc-dhcp-server

- name: Configure DHCP interface.
  become: yes
  lineinfile:
    path: /etc/default/isc-dhcp-server
    line: INTERFACESv4="wild"
    regexp: ^INTERFACESv4=
  notify: Restart DHCP server.

- name: Configure DHCP subnet.
  become: yes
  copy:
    src: ../private/gate-dhcpd.conf
    dest: /etc/dhcp/dhcpd.conf
  notify: Restart DHCP server.

- name: Configure DHCP server dependence on interface.
  become: yes
  copy:
    content: |
      [Unit]
      Requires=network-online.target
    dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf
  notify: Reload Systemd.

- name: Enable/Start DHCP server.
  become: yes
  systemd:
    service: isc-dhcp-server
    enabled: yes
    state: started

- name: Install WireGuard™.
  become: yes
  apt: pkg=wireguard

- name: Configure WireGuard™.
  become: yes
  copy:
    src: ../private/gate-wg0.conf
    dest: /etc/wireguard/wg0.conf
    mode: u=r,g=,o=
    owner: root
    group: root
  notify: Restart WireGuard™.

- name: Enable/Start WireGuard™ on boot.
  become: yes
  systemd:
    service: wg-quick@wg0
    enabled: yes
    state: started