---
- name: 'Install the official package repository for OpenVPN'
  block:
    - name: 'Add the signing key'
      become: true
      ansible.builtin.get_url:
        url: 'https://swupdate.openvpn.net/repos/repo-public.gpg'
        dest: '/etc/apt/keyrings/openvpn-repo-public.asc'

    - name: 'Add the actual repo'
      become: true
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/openvpn-repo-public.asc] https://build.openvpn.net/debian/openvpn/stable {{ ansible_distribution_release }} main"
        state: present

- name: 'Install server software and kernel module'
  become: true
  ansible.builtin.apt:
    name: '{{ item }}'
    update_cache: true
    state: 'present'
  loop:
    - 'openvpn'
    - 'openvpn-dco-dkms'

- name: 'Prepare the folder for vpn server files'
  become: true
  ansible.builtin.file:
    path: '{{ item }}'
    state: 'directory'
    owner: 'root'
    group: 'root'
    mode: 'u=rwx,g=rx,o=rx'
  loop:
    - '/etc/openvpn/{{ openvpn_server_directory }}'
    - '/etc/openvpn/{{ openvpn_server_directory }}/ccd'

- name: 'Deploy config files'
  become: true
  ansible.builtin.template:
    src: '{{ item.src }}'
    dest: '{{ item.dest }}'
    owner: 'root'
    group: 'root'
    mode: '{{ item.mode }}'
  loop:
    - src: 'ca.crt.j2'
      dest: '/etc/openvpn/{{ openvpn_server_ca }}'
      mode: 'u=rw,g=r,o=r'
    - src: 'cert.crt.j2'
      dest: '/etc/openvpn/{{ openvpn_server_cert }}'
      mode: 'u=rw,g=r,o=r'
    - src: 'cert.key.j2'
      dest: '/etc/openvpn/{{ openvpn_server_key }}'
      mode: 'u=rw,g=,o='
    - src: 'cert.pwd.j2'
      dest: '/etc/openvpn/{{ openvpn_server_passfile }}'
      mode: 'u=rw,g=,o='
    - src: 'crl.pem.j2'
      dest: '/etc/openvpn/{{ openvpn_server_crl }}'
      mode: 'u=rw,g=r,o=r'
    - src: 'tls-auth.key.j2'
      dest: '/etc/openvpn/{{ openvpn_server_tlsauth }}'
      mode: 'u=rw,g=,o='
    - src: 'dh2048.pem.j2'
      dest: '/etc/openvpn/{{ openvpn_server_dhfile }}'
      mode: 'u=rw,g=r,o=r'
  notify: 'Restart openvpn server'

- name: 'Deploy client specific config'
  become: true
  ansible.builtin.template:
    src: 'ccd.j2'
    dest: '/etc/openvpn/{{ openvpn_server_directory }}/ccd/{{ item.key }}'
    owner: 'root'
    group: 'root'
    mode: 'u=rw,g=r,o=r'
  loop: '{{ openvpn_server_client_configs | dict2items }}'
  notify: 'Restart openvpn server'

- name: 'Deploy server config'
  become: true
  ansible.builtin.template:
    src: 'openvpn_server.conf.j2'
    dest: '/etc/openvpn/{{ openvpn_server_config_name }}.conf'
    owner: 'root'
    group: 'root'
    mode: 'u=rw,g=r,o=r'
  notify: 
    - 'Reload openvpn services'
    - 'Restart openvpn server'

- name: 'Configure ip forwarding to allow external communication throught the vpn'
  become: true
  ansible.posix.sysctl:
    name: '{{ item.key }}'
    value: '{{ item.value }}'
  loop: '{{ openvpn_sysctl_settings | dict2items }}'
  notify: 'Restart openvpn server'