---
- name: Install Wireguard on Server
  hosts: nimbus
  become: true

  tasks:
    - name: Install wireguard tools and dig
      ansible.builtin.package:
        name:
          - wireguard-tools
          - bind

    - name: Create private key
      ansible.builtin.shell:
        chdir: /etc/wireguard/
        creates: /etc/wireguard/server_public_key
        cmd: "wg genkey | tee server_private_key | wg pubkey > server_public_key"

    - name: Remember the public key
      ansible.builtin.command: cat /etc/wireguard/server_public_key
      register: wireguard_public_key

    - name: Get server public IP
      ansible.builtin.command: dig +short myip.opendns.com @resolver1.opendns.com
      register: wireguard_public_ip

    - name: Allow ipv4 forwarding
      ansible.builtin.lineinfile:
        path: /etc/sysctl.d/wg.conf
        line: net.ipv4.ip_forward=1
        create: yes

    - name: Start the wireguard service
      ansible.builtin.service:
        name: wg-quick@wg0
        enabled: yes

- name: Install Wireguard on Host
  hosts: localhost
  become: true

  tasks:
    - name: Install wireguard tools
      ansible.builtin.package:
        name:
          - wireguard-tools

    - name: Create private key
      ansible.builtin.shell:
        chdir: /etc/wireguard/
        creates: /etc/wireguard/dmz_public_key
        cmd: "wg genkey | tee dmz_private_key | wg pubkey > dmz_public_key"

    - name: Remember the public key
      ansible.builtin.command: cat /etc/wireguard/dmz_public_key
      register: client_public_key

- name: Generate Server Config
  hosts: nimbus
  become: true

  tasks:

    - name: Create wg0 configuration
      ansible.builtin.shell:
        chdir: /etc/wireguard/
        creates: /etc/wireguard/wg0.conf
        cmd: |
          echo "
          [Interface]
          Address = 10.0.0.1/24
          SaveConfig = true
          PrivateKey = $(cat server_private_key)
          ListenPort = 51900
          
          PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
          PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
          
          [Peer]
          PublicKey = {{ hostvars['localhost']['client_public_key']['stdout'] }}
          AllowedIPs = 10.0.0.2/32
          " > /etc/wireguard/wg0.conf


- name: Generate Client Config
  hosts: localhost
  become: true

  tasks:

    - name: Create wg0 client configuration
      ansible.builtin.shell:
        chdir: /etc/wireguard/
        creates: /etc/wireguard/wg0-client.conf
        cmd: |
          echo "
          [Interface]
          Address = 10.0.0.2/32
          PrivateKey = $(cat dmz_private_key)
          DNS = 9.9.9.9

          [Peer]
          PublicKey = {{ hostvars['nimbus']['wireguard_public_key']['stdout'] }}
          Endpoint = space.xecut.me:51900
          AllowedIPs = 10.0.0.1/32
          " > /etc/wireguard/wg0-client.conf