---
- name: install wireguard interfaces (netdev)
  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  template:
    src: systemd.netdev.j2
    dest: "/etc/systemd/network/{{ item.key }}.netdev"
    mode: 0640
    group: systemd-network
  notify: restart systemd-networkd

- name: install wireguard interfaces (network)
  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  template:
    src: systemd.network.j2
    dest: "/etc/systemd/network/{{ item.key }}.network"
  notify: restart systemd-networkd

- name: enable systemd-networkd
  systemd:
    name: systemd-networkd
    enabled: yes
    state: started


- name: install nftables rules
  loop: "{{ wireguard_gateway_tunnels | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: "'ip_snat' in item.value or 'port_forwardings' in item.value"
  template:
    src: nftables.rules.j2
    dest: "/etc/nftables.d/wireguard-gateway-{{ item.key }}.nft"
  notify: reload nftables


- name: get original default route
  check_mode: no
  command: "ip route show exact 0.0.0.0/0"
  register: wireguard_gateway_original_defaultgw
  changed_when: no

- set_fact:
    wireguard_gateway_original_defaultgw: "{{ wireguard_gateway_original_defaultgw.stdout | regex_replace('.* via ([^ ]*).*$', '\\1') }}"

- name: install workaround for default-gateway handling
  loop: "{{ wireguard_gateway_tunnels | dict2items | selectattr('value.default_gateway', 'defined') }}"
  loop_control:
    label: "{{ item.key }}"
  template:
    src: systemd-fix-default-gw.service.j2
    dest: "/etc/systemd/system/wireguard-gateway-{{ item.key }}-fix-default-gw.service"

- name: enable/start workaround for default-gateway handling
  loop: "{{ wireguard_gateway_tunnels | dict2items | selectattr('value.default_gateway', 'defined') }}"
  loop_control:
    label: "{{ item.key }}"
  systemd:
    daemon_reload: yes
    name: "wireguard-gateway-{{ item.key }}-fix-default-gw.service"
    enabled: yes
    state: started