---
- name: 'Install the official package repository for OpenVPN'
  block:
    - name: 'Add the signing key'
      become: true
      ansible.builtin.get_url:
        url: 'https://swupdate.openvpn.net/repos/repo-public.gpg'
        dest: '{{ server_openvpn_signing_file }}'
        owner: 'root'
        group: 'root'
        mode: 'u=rw,g=r,o=r'

    - name: 'Add the actual repo'
      become: true
      ansible.builtin.apt_repository:
        repo: '{{ server_openvpn_source_line }}'
        state: 'present'

- name: 'Install server software and kernel module'
  become: true
  ansible.builtin.apt:
    name: '{{ item }}'
    update_cache: true
    state: 'present'
  loop:
    - 'openvpn'
    - 'openvpn-dco-dkms'

- name: 'Prepare the folder for vpn server files'
  become: true
  ansible.builtin.file:
    path: '{{ item }}'
    state: 'directory'
    owner: 'root'
    group: 'root'
    mode: 'u=rwx,g=rx,o=rx'
  loop:
    - '/etc/openvpn/{{ server_openvpn_directory }}'
    - '/etc/openvpn/{{ server_openvpn_directory }}/ccd'

- name: 'Deploy config files'
  become: true
  ansible.builtin.template:
    src: '{{ item.src }}'
    dest: '{{ item.dest }}'
    owner: 'root'
    group: 'root'
    mode: '{{ item.mode }}'
  loop:
    - src: 'ca.crt.j2'
      dest: '/etc/openvpn/{{ server_openvpn_ca }}'
      mode: 'u=rw,g=r,o=r'
    - src: 'cert.crt.j2'
      dest: '/etc/openvpn/{{ server_openvpn_cert }}'
      mode: 'u=rw,g=r,o=r'
    - src: 'cert.key.j2'
      dest: '/etc/openvpn/{{ server_openvpn_key }}'
      mode: 'u=rw,g=,o='
    - src: 'cert.pwd.j2'
      dest: '/etc/openvpn/{{ server_openvpn_passfile }}'
      mode: 'u=rw,g=,o='
    - src: 'crl.pem.j2'
      dest: '/etc/openvpn/{{ server_openvpn_crl }}'
      mode: 'u=rw,g=r,o=r'
    - src: 'tls-auth.key.j2'
      dest: '/etc/openvpn/{{ server_openvpn_tlsauth }}'
      mode: 'u=rw,g=,o='
    - src: 'dh2048.pem.j2'
      dest: '/etc/openvpn/{{ server_openvpn_dhfile }}'
      mode: 'u=rw,g=r,o=r'
  notify: 'Restart openvpn server'

- name: 'Deploy client specific config'
  become: true
  ansible.builtin.template:
    src: 'ccd.j2'
    dest: '/etc/openvpn/{{ server_openvpn_directory }}/ccd/{{ item.key }}'
    owner: 'root'
    group: 'root'
    mode: 'u=rw,g=r,o=r'
  loop: '{{ server_openvpn_client_configs | dict2items }}'
  notify: 'Restart openvpn server'

- name: 'Deploy server config'
  become: true
  ansible.builtin.template:
    src: 'openvpn_server.conf.j2'
    dest: '/etc/openvpn/{{ server_openvpn_config_name }}.conf'
    owner: 'root'
    group: 'root'
    mode: 'u=rw,g=r,o=r'
  notify:
    - 'Reload openvpn services'
    - 'Restart openvpn server'

- name: 'Configure ip forwarding to allow external communication throught the vpn'
  become: true
  ansible.posix.sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
  loop: '{{ server_openvpn_sysctl_settings | dict2items }}'
  notify: 'Restart openvpn server'

- name: 'Configure masquerading on firewall for the vpn traffic to the internet'
  become: true
  ansible.builtin.iptables:
    chain: 'POSTROUTING'
    comment: 'Enable masquerading from the vpn network'
    out_interface: '{{ server_openvpn_nat_interface }}'
    source: '{{ server_openvpn_ipv4_pool }}/24'
    table: 'nat'
    jump: 'MASQUERADE'