---
- name: Enable EPEL repo
  dnf:
    name: epel-release
    state: present
  when:
    - ansible_distribution == "CentOS"

- name: Install openvpn
  dnf:
    name: openvpn
    state: present

- name: Create openvpn scripts directory
  file:
    path: /etc/openvpn/scripts
    owner: root
    group: openvpn
    mode: '0750'
    state: directory

- name: Install update-resolv-conf script
  template:
    src: update-resolv-conf.j2
    dest: /etc/openvpn/scripts/update-resolv-conf
    owner: root
    group: openvpn
    mode: '0750'

- name: Install ProtonVPN Config files
  template:
    src: "{{ file.src }}"
    dest: /etc/openvpn/client/{{ file.dest }}
    owner: root
    group: openvpn
    mode: "{{ file.mode }}"
  loop_control:
    label: "{{ file.dest }}"
    loop_var: file
  loop:
    - { src: 'proton.conf.j2', dest: 'proton.conf', mode: '0640' }
    - { src: 'proton-credentials.j2', dest: 'proton-credentials', mode: '0600' }
  register: configs

- name: Add service to auto configure Unbound on VPN restarts
  template:
    src: auto-configure-unbound.service.j2
    dest: /etc/systemd/system/auto-configure-unbound.service
    owner: root
    group: root
    mode: '0640'
  register: auto_configure_unbound_service_file
  when:
    - ansible_hostname == 'gateway'

- name: Ensure openvpn-client service.d folder exists
  file:
    path: /etc/systemd/system/openvpn-client@.service.d/
    state: directory
    owner: root
    group: root
    mode: '0750'
  when:
    - ansible_hostname == 'gateway'

- name: Add dependencies to openvpn service to fire off auto-configure-unbound.service
  copy:
    src: auto-configure-unbound.conf
    dest: /etc/systemd/system/openvpn-client@.service.d/auto-configure-unbound.conf
    owner: root
    group: root
    mode: '0640'
  register: openvpn_auto_unbound_conf
  when:
    - ansible_hostname == 'gateway'

- name: Add IP masquerading to drop zone
  firewalld:
    zone: drop
    masquerade: 'yes' # requires quotes to keep from converting to type bool
    permanent: yes
    immediate: yes
    state: enabled
  when:
    - ansible_hostname == 'gateway'

- name: Add tun0 interface to drop zone
  firewalld:
    zone: drop
    interface: tun0
    permanent: yes
    immediate: yes
    state: enabled

- name: Tweak kernel parameters
  sysctl:
    name: "{{ item }}"
    value: '1'
    state: present
    reload: yes
  loop:
    - net.ipv6.conf.all.disable_ipv6
    - net.ipv6.conf.default.disable_ipv6
    - net.ipv4.ip_forward

- name: Restart/enable openvpn service
  systemd:
    name: openvpn-client@proton
    daemon_reload: yes
    state: restarted
    enabled: yes
  when: configs.changed or auto_configure_unbound_service_file.changed or openvpn_auto_unbound_conf.changed