- name: "configure wireguard"
  ansible.builtin.template:
    src: "./wg0.conf.j2"
    dest: "/etc/wireguard/wg0.conf"
    mode: 0600
  register: vpn_wireguard_conf

- name: "post-up nftables inet script"
  ansible.builtin.template:
    src: "./post-up-wg0-inet.nft.j2"
    dest: "/usr/local/sbin/post-up-wg0-inet.nft"
    mode: 0755
  register: vpn_wireguard_post_up_wg0_inet_nft

- name: "post-up nftables ipv4 script"
  ansible.builtin.template:
    src: "./post-up-wg0-ipv4.nft.j2"
    dest: "/usr/local/sbin/post-up-wg0-ipv4.nft"
    mode: 0755
  register: vpn_wireguard_post_up_wg0_ipv4_nft

- name: "configure interface"
  ansible.builtin.template:
    src: "./wg0.j2"
    dest: "/etc/network/interfaces.d/wg0"
    mode: 0644
    validate: >
      bash -c
      'if ! diff %s /etc/network/interfaces.d/wg0 && ip link show dev wg0 ;
       then
           ifdown wg0 ;
       fi'
  register: vpn_wireguard_intf

- name: "restart interface"
  ansible.builtin.shell: |
    if ip link show dev wg0
    then
        ifdown wg0 && ifup wg0
    else
        ifup wg0
    fi
  when:
    vpn_wireguard_conf.changed or
    vpn_wireguard_post_up_wg0_inet_nft.changed or
    vpn_wireguard_post_up_wg0_ipv4_nft.changed or
    vpn_wireguard_intf.changed

- name: "pre-down nftables inet script"
  ansible.builtin.copy:
    src: "./pre-down-wg0-inet.nft"
    dest: "/usr/local/sbin/pre-down-wg0-inet.nft"
    mode: 0755

- name: "pre-down nftables ipv4 script"
  ansible.builtin.copy:
    src: "./pre-down-wg0-ipv4.nft"
    dest: "/usr/local/sbin/pre-down-wg0-ipv4.nft"
    mode: 0755