---
- name: Ensure the required directories exist
  file:
    dest: "{{ item }}"
    state: directory
    recurse: true
  with_items:
    - "{{ wireguard_pki_path }}/preshared"
    - "{{ wireguard_pki_path }}/private"
    - "{{ wireguard_pki_path }}/public"
    - "{{ wireguard_config_path }}/apple/ios"
    - "{{ wireguard_config_path }}/apple/macos"
  delegate_to: localhost
  become: false

- name: Include tasks for Ubuntu
  include_tasks: ubuntu.yml
  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
  tags: always

- name: Include tasks for FreeBSD
  include_tasks: freebsd.yml
  when: ansible_distribution == 'FreeBSD'
  tags: always

- name: Generate keys
  import_tasks: keys.yml
  tags: update-users

- block:
    - block:
        - name: WireGuard user list updated
          lineinfile:
            dest: "{{ wireguard_pki_path }}/index.txt"
            create: true
            mode: "0600"
            insertafter: EOF
            line: "{{ item }}"
          register: lineinfile
          with_items: "{{ users }}"

        - set_fact:
            wireguard_users: "{{ (lookup('file', wireguard_pki_path + 'index.txt')).split('\n') }}"

        - name: WireGuard users config generated
          template:
            src: client.conf.j2
            dest: "{{ wireguard_config_path }}/{{ item.1 }}.conf"
            mode: "0600"
          with_indexed_items: "{{ wireguard_users }}"
          when: item.1 in users
          vars:
            index: "{{ item.0 }}"

        - include_tasks: mobileconfig.yml
          loop:
            - ios
            - macos
          loop_control:
            loop_var: system

        - name: Generate QR codes
          shell: >
            umask 077;
            which segno &&
            segno --scale=5 --output={{ item.1 }}.png \
              "{{ lookup('template', 'client.conf.j2') }}" || true
          changed_when: false
          with_indexed_items: "{{ wireguard_users }}"
          when: item.1 in users
          vars:
            index: "{{ item.0 }}"
            ansible_python_interpreter: "{{ ansible_playbook_python }}"
          args:
            chdir: "{{ wireguard_config_path }}"
            executable: bash
      become: false
      delegate_to: localhost

    - name: WireGuard configured
      template:
        src: server.conf.j2
        dest: "{{ config_prefix|default('/') }}etc/wireguard/{{ wireguard_interface }}.conf"
        mode: "0600"
      notify: restart wireguard
  tags: update-users

- name: WireGuard enabled and started
  service:
    name: "{{ service_name }}"
    state: started
    enabled: true

- name: Delete the PKI directory
  file:
    path: "{{ wireguard_pki_path }}"
    state: absent
  become: false
  delegate_to: localhost
  when:
    - not algo_store_pki
    - not pki_in_tmpfs

- meta: flush_handlers