---
- name: Install wireguard-tools
  yum:
    name: wireguard-tools
    state: installed

- name: Select a random endpoint
  set_fact:
    wg_info: "{{ vaulted_wg_info | shuffle | first }}"

- name: Record new endpoint config
  set_fact:
    wg_public_key: "{{ wg_info.pubkey }}"
    wg_endpoint: "{{ wg_info.endpoint }}"

- name: Copy wireguard config
  template:
    src: wg.conf.j2
    dest: /etc/wireguard/{{ wg_interface }}.conf
    owner: root
    group: root
    mode: '0644'
  notify:
    - Restart wireguard interface

- name: Add {{ wg_interface }} to external zone
  firewalld:
    zone: external
    interface: "{{ wg_interface }}"
    permanent: yes
    state: enabled

- name: Add {{ gateway_internal_interface }} to internal zone
#- name: Add {{ ansible_interfaces | sort | first }} to internal zone
  firewalld:
    zone: internal
    interface: "{{ gateway_internal_interface }}"
    #interface: "{{ ansible_interfaces | sort | first }}"
    permanent: yes
    state: enabled

- name: Allow source networks to use wireguard
  firewalld:
    source: "{{ item }}"
    zone: external
    state: enabled
    permanent: yes
  with_items:
    - "{{ allowed_access_cidrs }}"
  
- name: Allow services
  firewalld:
    zone: external
    service: "{{ item }}"
    state: enabled
    permanent: yes
    immediate: yes
  with_items:
    - "{{ allowed_services }}"

- name: Start/Enable {{ wg_interface }} interface
  systemd:
    name: wg-quick@{{ wg_interface }}
    state: started
    enabled: yes