---
# VM Gateway : WireGuard + Caddy
# Point d'entree reseau depuis le VPS

- name: Configuration gateway
  hosts: gateway
  become: true

  tasks:
    # -- WireGuard --
    - name: Installation WireGuard
      ansible.builtin.dnf:
        name:
          - wireguard-tools
        state: present
      tags: [wireguard]

    - name: Activation IP forwarding
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        sysctl_set: true
        reload: true
      tags: [wireguard]

    - name: Creation du repertoire WireGuard
      ansible.builtin.file:
        path: /etc/wireguard
        state: directory
        mode: "0700"
      tags: [wireguard]

    # La config WireGuard sera a personnaliser avec les cles
    # generees et l'IP du VPS (phase 5)
    - name: Deploiement config WireGuard (template)
      ansible.builtin.template:
        src: wg0.conf.j2
        dest: /etc/wireguard/wg0.conf
        mode: "0600"
      notify: restart wireguard
      when: wireguard_configured | default(false)
      tags: [wireguard]

    # -- Caddy --
    - name: Installation dnf-plugins-core (requis pour copr)
      ansible.builtin.dnf:
        name: dnf-plugins-core
        state: present
      tags: [caddy]

    - name: Activation du repo COPR Caddy
      ansible.builtin.shell: dnf copr enable -y @caddy/caddy
      args:
        creates: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:group_caddy:caddy.repo
      tags: [caddy]

    - name: Installation Caddy
      ansible.builtin.dnf:
        name: caddy
        state: present
      tags: [caddy]

    - name: Deploiement Caddyfile
      ansible.builtin.copy:
        src: ../../docker/gateway/Caddyfile
        dest: /etc/caddy/Caddyfile
        mode: "0644"
      notify: restart caddy
      tags: [caddy]

    - name: Activation Caddy
      ansible.builtin.systemd:
        name: caddy
        state: started
        enabled: true
      tags: [caddy]

    # -- Firewall --
    - name: Ouverture ports HTTP/HTTPS
      ansible.posix.firewalld:
        service: "{{ item }}"
        permanent: true
        state: enabled
      loop:
        - http
        - https
      notify: reload firewalld
      tags: [firewall]

    - name: Ouverture port WireGuard
      ansible.posix.firewalld:
        port: 51820/udp
        permanent: true
        state: enabled
      notify: reload firewalld
      tags: [firewall]

  handlers:
    - name: restart wireguard
      ansible.builtin.systemd:
        name: wg-quick@wg0
        state: restarted
        enabled: true

    - name: restart caddy
      ansible.builtin.systemd:
        name: caddy
        state: restarted

    - name: reload firewalld
      ansible.builtin.systemd:
        name: firewalld
        state: reloaded