---
- name: make sure kubernetes_network_plugin_replaces_kube_proxy is not set
  run_once: yes
  assert:
    msg: "kubeguard can not replace kube-proxy, please set kubernetes_network_plugin_replaces_kube_proxy to false."
    that: not kubernetes_network_plugin_replaces_kube_proxy


- name: install wireguard
  import_role:
    name: network/wireguard/base

- name: create network config directory
  file:
    name: /var/lib/kubeguard/
    state: directory

- name: install ifupdown script
  template:
    src: net_kubeguard/ifupdown.sh.j2
    dest: /var/lib/kubeguard/ifupdown.sh
    mode: 0755
  # TODO: notify reload... this is unfortunately already to late because
  #                        it must probably be brought down by the old version of the script

- name: generate wireguard private key
  shell: "umask 077; wg genkey > /var/lib/kubeguard/kubeguard-wg0.privatekey"
  args:
    creates: /var/lib/kubeguard/kubeguard-wg0.privatekey

- name: fetch wireguard public key
  shell: "wg pubkey < /var/lib/kubeguard/kubeguard-wg0.privatekey"
  register: kubeguard_wireguard_pubkey
  changed_when: false
  check_mode: no

- name: install systemd service unit for network interface
  template:
    src: net_kubeguard/interface.service.j2
    dest: /etc/systemd/system/kubeguard-interface.service
  # TODO: notify: reload???

- name: make sure kubeguard interface service is started and enabled
  systemd:
    daemon_reload: yes
    name: kubeguard-interface.service
    state: started
    enabled: yes

- name: install systemd units for every kubeguard peer
  loop: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}"
  loop_control:
    loop_var: peer
  template:
    src: net_kubeguard/peer.service.j2
    dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service"
  # TODO: notify restart for peers that change...

- name: make sure kubeguard peer services are started and enabled
  loop: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}"
  systemd:
    daemon_reload: yes
    name: "kubeguard-peer-{{ item }}.service"
    state: started
    enabled: yes

- name: enable IPv4 forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes

- name: create cni config directory
  file:
    name: /etc/cni/net.d
    state: directory

- name: install cni config
  template:
    src: net_kubeguard/cni.conflist.j2
    dest: /etc/cni/net.d/kubeguard.conflist