---
- name: install wireguard
  import_role:
    name: wireguard/base

- name: create network config directory
  file:
    name: /var/lib/kubeguard/
    state: directory

- name: configure wireguard port
  set_fact:
    kubeguard_wireguard_port: "{{ kubernetes.wireguard_port | default(51820) }}"

- name: install ifupdown script
  template:
    src: ifupdown.sh.j2
    dest: /var/lib/kubeguard/ifupdown.sh
    mode: 0755
  # TODO: notify reload... this is unfortunately already to late because
  #                        it must probably be brought down by the old version of the script

- name: generate wireguard private key
  shell: "umask 077; wg genkey > /var/lib/kubeguard/kube-wg0.privatekey"
  args:
    creates: /var/lib/kubeguard/kube-wg0.privatekey

- name: fetch wireguard public key
  shell: "wg pubkey < /var/lib/kubeguard/kube-wg0.privatekey"
  register: kubeguard_wireguard_pubkey
  changed_when: false
  check_mode: no

- name: install systemd service unit for network interfaces
  copy:
    src: kubeguard-interfaces.service
    dest: /etc/systemd/system/kubeguard-interfaces.service
  # TODO: notify: reload???

- name: make sure kubeguard interfaces service is started and enabled
  systemd:
    daemon_reload: yes
    name: kubeguard-interfaces.service
    state: started
    enabled: yes

- name: get list of currently installed kubeguard peers
  find:
    path: /etc/systemd/system/
    pattern: "kubeguard-peer-*.service"
  register: kubeguard_peers_installed

- name: compute list of peers to be added
  set_fact:
    kubeguard_peers_to_add: "{{ groups['_kubernetes_nodes_'] | difference(inventory_hostname) }}"

- name: compute list of peers to be removed
  set_fact:
    kubeguard_peers_to_remove: "{{ kubeguard_peers_installed.files | map(attribute='path') | map('replace', '/etc/systemd/system/kubeguard-peer-', '') | map('replace', '.service', '') | difference(kubeguard_peers_to_add) }}"

- name: stop/disable systemd units for stale kubeguard peers
  loop: "{{ kubeguard_peers_to_remove }}"
  systemd:
    name: "kubeguard-peer-{{ item }}.service"
    state: stopped
    enabled: no

- name: remove systemd units for stale kubeguard peers
  loop: "{{ kubeguard_peers_to_remove }}"
  file:
    name: "/etc/systemd/system/kubeguard-peer-{{ item }}.service"
    state: absent

- name: install systemd units for every kubeguard peer
  loop: "{{ kubeguard_peers_to_add }}"
  loop_control:
    loop_var: peer
  template:
    src: kubeguard-peer.service.j2
    dest: "/etc/systemd/system/kubeguard-peer-{{ peer }}.service"
  # TODO: notify restart for peers that change...

- name: make sure kubeguard peer services are started and enabled
  loop: "{{ kubeguard_peers_to_add }}"
  systemd:
    daemon_reload: yes
    name: "kubeguard-peer-{{ item }}.service"
    state: started
    enabled: yes

- name: enable IPv4 forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: '1'
    sysctl_set: yes
    state: present
    reload: yes

- name: create cni config directory
  file:
    name: /etc/cni/net.d
    state: directory

- name: install cni config
  template:
    src: k8s.json.j2
    dest: /etc/cni/net.d/k8s.json