---
- name: Include public variables.
  include_vars: ../public/vars.yml
  tags: accounts
- name: Include private variables.
  include_vars: ../private/vars.yml
  tags: accounts
- name: Include members.
  include_vars: "{{ lookup('first_found', membership_rolls) }}"
  tags: accounts

- name: Install netplan (gate).
  become: yes
  apt: pkg=netplan.io

- name: Configure netplan (gate).
  become: yes
  copy:
    content: |
      network:
        ethernets:
          lan:
            match:
              macaddress: {{ gate_lan_mac }}
            addresses: [ {{ gate_addr_cidr }} ]
            set-name: lan
            dhcp4: false
            nameservers:
              addresses: [ {{ core_addr }} ]
              search: [ {{ domain_priv }} ]
            routes:
              - to: {{ public_vpn_net_cidr }}
                via: {{ core_addr }}
          wifi:
            match:
              macaddress: {{ gate_wifi_mac }}
            addresses: [ {{ gate_wifi_addr_cidr }} ]
            set-name: wifi
            dhcp4: false
    dest: /etc/netplan/60-gate.yaml
    mode: u=rw,g=r,o=
  notify: Apply netplan.

- name: Install netplan (ISP).
  become: yes
  copy:
    content: |
      network:
        ethernets:
          isp:
            match:
              macaddress: {{ gate_isp_mac }}
            set-name: isp
            dhcp4: true
            dhcp4-overrides:
              use-dns: false
    dest: /etc/netplan/60-isp.yaml
    mode: u=rw,g=r,o=
    force: no
  notify: Apply netplan.

- name: Install UFW.
  become:
  apt: pkg=ufw

- name: Configure UFW policy.
  become: yes
  lineinfile:
    path: /etc/default/ufw
    line: "{{ item.line }}"
    regexp: "{{ item.regexp }}"
  loop:
  - { line: "DEFAULT_INPUT_POLICY=\"ACCEPT\"",
      regexp: "^DEFAULT_INPUT_POLICY=" }
  - { line: "DEFAULT_OUTPUT_POLICY=\"ACCEPT\"",
      regexp: "^DEFAULT_OUTPUT_POLICY=" }
  - { line: "DEFAULT_FORWARD_POLICY=\"DROP\"",
      regexp: "^DEFAULT_FORWARD_POLICY=" }

- name: Configure UFW rules.
  become: yes
  vars:
    ACCEPT_RELATED: -m state --state ESTABLISHED,RELATED -j ACCEPT
  blockinfile:
    path: /etc/ufw/before.rules
    block: |
      *nat
      :POSTROUTING ACCEPT [0:0]
      -A POSTROUTING -s {{   private_net_cidr }} -o isp -j MASQUERADE
      -A POSTROUTING -s {{ gate_wifi_net_cidr }} -o isp -j MASQUERADE
      COMMIT

      *filter
      -A FORWARD -i lan  -o isp  -j ACCEPT
      -A FORWARD -i wifi -o isp  -j ACCEPT
      -A FORWARD -i isp  -o lan  {{ ACCEPT_RELATED }}
      -A FORWARD -i isp  -o wifi {{ ACCEPT_RELATED }}
      -A FORWARD -i lan  -o ovpn -j ACCEPT
      -A FORWARD -i ovpn -o lan  -j ACCEPT
      COMMIT
    insertafter: EOF

- name: Install DHCP server.
  become: yes
  apt: pkg=isc-dhcp-server

- name: Configure DHCP interface.
  become: yes
  lineinfile:
    path: /etc/default/isc-dhcp-server
    line: INTERFACESv4="wifi"
    regexp: ^INTERFACESv4=
  notify: Restart DHCP server.

- name: Configure DHCP server dependence on interface.
  become: yes
  copy:
    content: |
      [Unit]
      Requires=network-online.target
    dest: /etc/systemd/system/isc-dhcp-server.service.d/depend.conf
  notify: Reload Systemd.

- name: Configure DHCP for WiFiAP service.
  become: yes
  copy:
    content: |
      default-lease-time 3600;
      max-lease-time 7200;
      ddns-update-style none;
      authoritative;
      log-facility daemon;

      subnet {{ gate_wifi_net }} netmask {{ gate_wifi_net_mask }} {
        option subnet-mask {{ gate_wifi_net_mask }};
        option broadcast-address {{ gate_wifi_broadcast }};
        option routers {{ gate_wifi_addr }};
      }

      host {{ wifi_wan_name }} {
        hardware ethernet {{ wifi_wan_mac }};
        fixed-address {{ wifi_wan_addr }};
      }
    dest: /etc/dhcp/dhcpd.conf
  notify: Restart DHCP server.

- name: Enable DHCP server.
  become: yes
  systemd:
    service: isc-dhcp-server
    enabled: yes

- name: Install server certificate/key.
  become: yes
  copy:
    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
    dest: /etc/server.{{ item.typ }}
    mode: "{{ item.mode }}"
  loop:
  - { path: "issued/gate.{{ domain_priv }}", typ: crt,
      mode: "u=r,g=r,o=r" }
  - { path: "private/gate.{{ domain_priv }}", typ: key,
      mode: "u=r,g=,o=" }
  notify: Restart OpenVPN.

- name: Install OpenVPN.
  become: yes
  apt: pkg=openvpn

- name: Enable IP forwarding.
  become: yes
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    state: present

- name: Create OpenVPN client configuration directory.
  become: yes
  file:
    path: /etc/openvpn/ccd
    state: directory
  notify: Restart OpenVPN.

- name: Disable former VPN clients.
  become: yes
  copy:
    content: "disable\n"
    dest: /etc/openvpn/ccd/{{ item }}
  loop: "{{ revoked }}"
  notify: Restart OpenVPN.
  tags: accounts

- name: Install OpenVPN secrets.
  become: yes
  copy:
    src: ../Secret/{{ item.src }}
    dest: /etc/openvpn/{{ item.dest }}
    mode: u=r,g=,o=
  loop:
  - { src: gate-dh2048.pem, dest: dh2048.pem }
  - { src: gate-ta.key, dest: ta.key }
  notify: Restart OpenVPN.

- name: Configure OpenVPN.
  become: yes
  copy:
    content: |
      server {{ campus_vpn_net_and_mask }}
      client-config-dir /etc/openvpn/ccd
      push "route {{ private_net_and_mask }}"
      push "route {{ public_vpn_net_and_mask }}"
      dev-type tun
      dev ovpn
      topology subnet
      client-to-client
      keepalive 10 120
      push "dhcp-option DOMAIN {{ domain_priv }}"
      push "dhcp-option DNS {{ core_addr }}"
      user nobody
      group nogroup
      persist-key
      persist-tun
      cipher AES-256-GCM
      auth SHA256
      max-clients 20
      ifconfig-pool-persist ipp.txt
      status openvpn-status.log
      verb 3
      ca /usr/local/share/ca-certificates/{{ domain_name }}.crt
      cert /etc/server.crt
      key /etc/server.key
      dh dh2048.pem
      tls-auth ta.key 0
    dest: /etc/openvpn/server.conf
    mode: u=r,g=r,o=
  notify: Restart OpenVPN.