---
- name: Install WireGuard and tools
  apt:
    name:
      - wireguard
      - wireguard-tools
      - qrencode
    state: present
    update_cache: true

- name: Allow WireGuard port through UFW
  ufw:
    rule: allow
    port: "51820"
    proto: udp

- name: Enable IP forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: true
    state: present
    reload: true

- name: Create WireGuard config directory
  file:
    path: /etc/wireguard
    state: directory
    mode: "0700"
    owner: root
    group: root

# --- Server keypair ---
- name: Check if server private key exists
  stat:
    path: /etc/wireguard/server.key
  register: server_key_stat

- name: Generate server private key
  shell: wg genkey > /etc/wireguard/server.key
  when: not server_key_stat.stat.exists

- name: Set permissions on server private key
  file:
    path: /etc/wireguard/server.key
    mode: "0600"
    owner: root
    group: root

- name: Read server private key
  slurp:
    src: /etc/wireguard/server.key
  register: server_private_key

- name: Derive server public key
  shell: wg pubkey < /etc/wireguard/server.key
  register: server_public_key
  changed_when: false

# --- Phone keypair ---
- name: Check if phone private key exists
  stat:
    path: /etc/wireguard/phone.key
  register: phone_key_stat

- name: Generate phone private key
  shell: wg genkey > /etc/wireguard/phone.key
  when: not phone_key_stat.stat.exists

- name: Set permissions on phone private key
  file:
    path: /etc/wireguard/phone.key
    mode: "0600"
    owner: root
    group: root

- name: Read phone private key
  slurp:
    src: /etc/wireguard/phone.key
  register: phone_private_key

- name: Derive phone public key
  shell: wg pubkey < /etc/wireguard/phone.key
  register: phone_public_key
  changed_when: false

# --- Server config ---
- name: Write wg0.conf
  template:
    src: wg0.conf.j2
    dest: /etc/wireguard/wg0.conf
    mode: "0600"
    owner: root
    group: root
  notify: Restart wg0

# --- Service ---
- name: Enable and start wg-quick@wg0
  systemd:
    name: wg-quick@wg0
    enabled: true
    state: started

# --- Phone client config + QR ---
- name: Write phone client config
  copy:
    dest: /etc/wireguard/phone-client.conf
    mode: "0600"
    owner: root
    group: root
    content: |
      [Interface]
      PrivateKey = {{ phone_private_key.content | b64decode | trim }}
      Address = 10.10.0.2/32
      DNS = 192.168.7.77

      [Peer]
      PublicKey = {{ server_public_key.stdout }}
      Endpoint = {{ wireguard_endpoint }}:51820
      AllowedIPs = 192.168.7.0/24, 10.10.0.0/24
      PersistentKeepalive = 25

- name: Generate QR code for phone
  shell: qrencode -t ansiutf8 < /etc/wireguard/phone-client.conf
  register: phone_qr
  changed_when: false

- name: Display phone QR code
  debug:
    msg: "{{ phone_qr.stdout_lines }}"