---
- name: Preparation
  hosts: vpn
  pre_tasks:
    - name: Verify only one embassy
      ansible.builtin.assert:
        that: >
          groups['embassy'] | length == 1 and
          groups['vpn_server'] | length == 1 and
          groups['vpn_server'] | intersect(groups['embassy']) | length == 1
        msg: Expected only one embassy host

    - name: Verify ipv6_subnet is set
      when: inventory_hostname == groups['embassy'][0]
      ansible.builtin.assert:
        that: ipv6_subnet is defined
        msg: >
          Expected ipv6_subnet to be defined.
          This should have been done in Terraform or otherwise.


  tasks:
    # As mentioned in the other file, if I set this statically on group_vars,
    # things seem to break.
    - set_fact:
        public_ipv6_subnet: "{{ hostvars[groups['embassy'][0]].ipv6_subnet }}"

    - when: inventory_hostname == groups['embassy'][0]
      name: Disable password-based authentication
      become: true
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: '^()PasswordAuthentication yes()$'
        line: 'PasswordAuthentication no'
      register: passwordauthentication

    - when: inventory_hostname == groups['embassy'][0]
      name: Enable public key authentication in SSH
      become: true
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: '^()PubkeyAuthentication()$'
        line: 'PubkeyAuthentication yes'
      register: publickeyauthentication

    - when: inventory_hostname == groups['embassy'][0] and (passwordauthentication.changed or publickeyauthentication.changed)
      name: Restart SSH
      become: true
      service:
        name: ssh
        state: restarted

- name: Set up VPN
  hosts: vpn
  become: true
  roles:
    - githubixx.ansible_role_wireguard

  # We should really try to get this in upstream, this is so jank.
- name: Patch VPN server settings
  hosts: vpn_server
  become: true
  tasks:
    - shell:
        cmd: |
          sed -i \
            '/PublicKey/a PersistentKeepalive = {{ wireguard_persistent_keepalive }}' \
            /etc/wireguard/wg0.conf
    - service:
        name: wg-quick@wg0
        state: "{{ 'restarted' if wireguard_service_state != 'stopped' else 'stopped' }}"
        enabled: "{{ wireguard_service_enabled }}"

- name: Install wings
  hosts: moirai_wings
  remote_user: ubuntu
  # Don't forget to create a new disk if creating new wings. This is
  # purposefully manual to give more fine-grained control
  vars:
    pv_disks:
      - /dev/sda
    vg_name: vg1
    lv_name: pvs
    lv_size: +100%FREE
    fs_type: ext4
    mount_path: /var/lib/pterodactyl
    extra_docker_daemon_options: |
      "dns": ["10.0.123.123"],
  roles:
    - dns-client
    - lvm
    - docker
    - wings