- name: Install WireGuard
  package:
    state: present
    name: "{{ wireguard_os_packages[ansible_distribution] }}"
  tags:
    - role::wireguard

- name: Create firewalld zone for Wireguard on Rocky hosts
  ansible.posix.firewalld:
    zone: wireguard
    state: present
    permanent: true
  when: ansible_distribution == "Rocky"
  tags:
    - role::wireguard

- name: Add wg0 interface to wireguard firewalld zone
  ansible.posix.firewalld:
    zone: wireguard
    interface: wg0
    state: enabled
    permanent: true
  when: ansible_distribution == "Rocky"
  tags:
    - role::wireguard

- name: Generate WireGuard private key
  shell: set -o pipefail && wg genkey > /etc/wireguard/key.priv
  args:
    executable: /bin/bash
    creates: /etc/wireguard/key.priv
  tags:
    - role::wireguard

- name: Generate WireGuard public key
  shell: set -o pipefail && cat /etc/wireguard/key.priv | wg pubkey > /etc/wireguard/key.pub
  args:
    executable: /bin/bash
    creates: /etc/wireguard/key.pub
  tags:
    - role::wireguard

- name: Ensure file permissions for keys set correctly
  file:
    path: "{{ item }}"
    owner: root
    group: root
    mode: "0600"
  with_items:
    - /etc/wireguard/key.priv
    - /etc/wireguard/key.pub
  tags:
    - role::wireguard

- name: Fetch private key for all hosts
  slurp:
    src: /etc/wireguard/key.priv
  register: wg_priv_key
  tags:
    - role::wireguard

- name: Fetch public key for all hosts
  slurp:
    src: /etc/wireguard/key.pub
  register: wg_pub_key
  tags:
    - role::wireguard

- name: Generate WireGuard configuration file
  template:
    src: wg0.conf.j2
    dest: /etc/wireguard/wg0.conf
    mode: "0600"
    group: root
    owner: root
  notify:
    - Reload wg-quick
  tags:
    - role::wireguard

- name: Start and enable the WireGuard service
  service:
    name: wg-quick@wg0
    enabled: true
    state: started
  tags:
    - role::wireguard