---
- hosts: all
  become: yes
  vars:
    peer_node_pubkeys: []
  tasks:
    - name: Install wireguard and ufw
      ansible.builtin.apt:
        name: 
          - wireguard
          - ufw
        state: present

    - name: Generate a wireguard server privatekey
      ansible.builtin.shell: "wg genkey > /etc/wireguard/private.key"

    - name: Read privatekey from the wireguard folder and generate public key
      ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey"
      register: root_node_public_key_stdout

    - name: Read privatekey from the wireguard folder
      ansible.builtin.shell: "cat /etc/wireguard/private.key"
      register: root_node_private_key_stdout

    - name: Create keys directory
      ansible.builtin.file:
        path: "/tmp/keys"
        state: directory

    - name: Set the file content to a variable
      ansible.builtin.set_fact:
        root_node_public_key: "{{ root_node_public_key_stdout.stdout }}"
        root_node_private_key: "{{ root_node_private_key_stdout.stdout }}"

    - name: Generate privatekeys for the peer nodes
      ansible.builtin.shell: "wg genkey > /tmp/keys/peer{{ item }}_private_key.txt"
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"

    - name: Generate pubkeys for the peer nodes
      ansible.builtin.shell: "cat /tmp/keys/peer{{ item }}_private_key.txt |  wg pubkey > /tmp/keys/peer{{ item }}_public_key.txt"
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"
 
    - name: Copy generated private keys to temporal keys location
      ansible.builtin.fetch:
        src: "/tmp/keys/peer{{ item }}_private_key.txt"
        dest: "./keys/peer{{ item }}_private_key.txt"
        flat: yes
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"

    - name: Copy generated public keys to temporal keys location
      ansible.builtin.fetch:
        src: "/tmp/keys/peer{{ item }}_public_key.txt"
        dest: "./keys/peer{{ item }}_public_key.txt"
        flat: yes
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"
         
    - name: Fill in the pubkeys array
      ansible.builtin.set_fact:
        peer_node_pubkeys: "{{ peer_node_pubkeys + [lookup('file', './keys/peer'+item|string+'_public_key.txt') | string] }}"
      loop: "{{ range(1, n_peer_nodes + 1) | list }}"
      become: false
      delegate_to: localhost

    - name: Get the default public interface
      ansible.builtin.shell: "ip route list | grep default | awk '{print $5}'"
      register: server_public_interface_stdout

    - name: Set the stdout of the public interface to a variable
      ansible.builtin.set_fact:
        server_public_interface: "{{ server_public_interface_stdout.stdout }}"

    - name: Temporal remap of the interface to eth1
      ansible.builtin.set_fact:
        server_public_interface: "eth1"

    - name: show the eth1 interface address
      ansible.builtin.debug:
        msg: "{{  ansible_eth1.ipv4.address }}"

    - name: Protect the privatekey by allowing only the root user to read
      ansible.builtin.file:
        path: "/etc/wireguard/private.key"
        owner: root
        group: root
        mode: '077'

    - name: Generate a wireguard server pubkey
      ansible.builtin.shell: "cat /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key"

    - name: Protect the privatekey by allowing only the root user to read
      ansible.builtin.file:
        path: "/etc/wireguard/public.key"
        owner: root
        group: root

    - name: Install the server wireguard template to the server
      ansible.builtin.template:
        src: "./templates/server_wg0.conf"
        dest: "/etc/wireguard/wg0.conf"

    - name: Ensure that the permissions to the config are not too open
      ansible.builtin.file:
        path: "/etc/wireguard/wg0.conf"
        owner: root
        group: root
        mode: '077'

    - name: Allow everything and enable UFW
      community.general.ufw:
        state: enabled
        policy: allow

    - name: Set logging for the ufw
      community.general.ufw:
        logging: 'on'

    - name: Allow all access to port 22
      community.general.ufw:
        rule: allow
        port: '22'

    - name: Allow all access to wireguard port (udp)
      community.general.ufw:
        rule: allow
        port: '51820'
        proto: udp

    - name: Start the wireguard service
      ansible.builtin.service:
        name: wg-quick@wg0.service
        enabled: yes
        state: started

    - name: Store the public to temportal directory so that the clients will be able to read it
      ansible.builtin.copy:
        content: "{{ root_node_public_key }}"
        dest: "./keys/root_node_public_key.txt"
      become: false
      delegate_to: localhost

    - name: Store the public ip of the node to temportal directory so that the clients will be able to read it
      ansible.builtin.copy:
        content: "{{ ansible_eth1.ipv4.address }}"
        dest: "./keys/root_node_public_ip.txt"
      become: false
      delegate_to: localhost

    - name: Add each peer to root node configuration
      ansible.builtin.shell: "wg set wg0 peer {{ peer_node_pubkeys[item] }} allowed-ips 10.6.0.{{ item+2 }}"
      loop: "{{ range(0, n_peer_nodes) | list }}"