---
- name: Include public variables.
  include_vars: ../public/vars.yml

- name: Include private variables.
  include_vars: ../private/vars.yml

- name: Install 10-lan.link.
  become: yes
  copy:
    content: |
      [Match]
      MACAddress={{ gate_lan_mac }}

      [Link]
      Name=lan
    dest: /etc/systemd/network/10-lan.link
  notify: Reload networkd.

- name: Install 10-lan.network.
  become: yes
  copy:
    content: |
      [Match]
      MACAddress={{ gate_lan_mac }}

      [Network]
      Address={{ gate_addr_cidr }}
      DNS={{ core_addr }}
      Domains={{ domain_priv }}

      [Route]
      Destination={{ public_wg_net_cidr }}
      Gateway={{ core_addr }}
    dest: /etc/systemd/network/10-lan.network
  notify: Reload networkd.

- name: Install 10-wild.link.
  become: yes
  copy:
    content: |
      [Match]
      MACAddress={{ gate_wild_mac }}

      [Link]
      Name=wild
    dest: /etc/systemd/network/10-wild.link
  notify: Reload networkd.

- name: Install 10-wild.network.
  become: yes
  template:
    src: wild.network
    dest: /etc/systemd/network/10-wild.network
  notify: Reload networkd.

- name: Install 10-isp.link.
  become: yes
  copy:
    content: |
      [Match]
      MACAddress={{ gate_isp_mac }}

      [Link]
      Name=isp
    dest: /etc/systemd/network/10-isp.link
  notify: Reload networkd.

- name: Install 10-isp.network.
  become: yes
  copy:
    src: ../private/gate-isp.network
    dest: /etc/systemd/network/10-isp.network
    force: no
  notify: Reload networkd.

- name: Configure resolved.
  become: yes
  lineinfile:
    path: /etc/systemd/resolved.conf
    regexp: "{{ item.regexp }}"
    line: "{{ item.line }}"
  loop:
  - regexp: '^ *DNSStubListenerExtra *='
    line: "DNSStubListenerExtra={{ gate_wild_addr }}"
  - regexp: '^ *ReadEtcHosts *='
    line: "ReadEtcHosts=no"
  notify:
  - Reload Systemd.
  - Restart Systemd resolved.

- name: Install UFW.
  become: yes
  apt: pkg=ufw

- name: Configure UFW policy.
  become: yes
  lineinfile:
    path: /etc/default/ufw
    line: "{{ item.line }}"
    regexp: "{{ item.regexp }}"
  loop:
  - line: "DEFAULT_INPUT_POLICY=\"ACCEPT\""
    regexp: "^DEFAULT_INPUT_POLICY="
  - line: "DEFAULT_OUTPUT_POLICY=\"ACCEPT\""
    regexp: "^DEFAULT_OUTPUT_POLICY="
  - line: "DEFAULT_FORWARD_POLICY=\"DROP\""
    regexp: "^DEFAULT_FORWARD_POLICY="

- name: Configure UFW rules.
  become: yes
  blockinfile:
    block: |
      *nat
      :POSTROUTING ACCEPT [0:0]
      -A POSTROUTING -s {{ private_net_cidr }} -o isp -j MASQUERADE
      -A POSTROUTING -s {{    wild_net_cidr }} -o isp -j MASQUERADE
      COMMIT
      *filter
      -A ufw-before-forward -i lan  -o isp -j ACCEPT
      -A ufw-before-forward -i wild -o isp -j ACCEPT
      -A ufw-before-forward -i lan  -o wg0 -j ACCEPT
      -A ufw-before-forward -i wg0  -o lan -j ACCEPT
      -A ufw-before-forward -i wg0  -o wg0 -j ACCEPT
      COMMIT
    dest: /etc/ufw/before.rules
    insertafter: EOF
    prepend_newline: yes

- name: Enable UFW.
  become: yes
  ufw: state=enabled
  tags: actualizer

- name: Enable IP forwarding.
  become: yes
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    state: present

- name: Install WireGuard™.
  become: yes
  apt: pkg=wireguard

- name: Configure WireGuard™.
  become: yes
  vars:
    srcs:
      - ../private/gate-wg0.conf
      - ../private/gate-wg0-empty.conf
  copy:
    src: "{{ lookup('first_found', srcs) }}"
    dest: /etc/wireguard/wg0.conf
    mode: u=r,g=,o=
    owner: root
    group: root
  notify: Restart WireGuard™.
  tags: accounts

- name: Start WireGuard™.
  become: yes
  systemd:
    service: wg-quick@wg0
    state: started
  tags: actualizer

- name: Enable WireGuard™.
  become: yes
  systemd:
    service: wg-quick@wg0
    enabled: yes