---
- hosts: 10.0.0.2
  become: true
  gather_facts: false

  vars_files:
    - "{{ inventory_dir }}/vars/vault.yaml"

  vars:
    openvpn_service: "openvpn@nord"
    openvpn_remotes: "{{ vaulted_openvpn_remotes }}"
    openvpn_user: "{{ vaulted_openvpn_user }}"
    openvpn_pass: "{{ vaulted_openvpn_pass }}"


  tasks:
  - name: Select random NordVPN Endpoint
    ansible.builtin.set_fact:
      nord_endpoint: "{{ vaulted_openvpn_remotes | random }}"


  - name: Set config from chosen endpoint "{{ nord_endpoint.cn }}"
    ansible.builtin.set_fact:
      nord_remote: "{{ nord_endpoint.remote }}"
      nord_cn: "{{ nord_endpoint.cn }}"


  - name: Update config file settings
    ansible.builtin.lineinfile:
       path: /etc/openvpn/nord.conf
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
    loop:
      - { "label": "remote", "regexp": "^remote ",          "line": "remote {{ nord_remote }} 443" }
      - { "label": "cn",     "regexp": "^verify-x509-name", "line": "verify-x509-name CN={{ nord_cn }}" }
    loop_control:
      label: "{{ item.label }}"


  - name: Update motd script with new endpoint
    ansible.builtin.lineinfile:
      path: /usr/local/bin/vpn-endpoint
      regexp: "^endpoint="
      line: "endpoint={{ nord_cn }}"


  - name: Bounce {{ openvpn_service }} service
    ansible.builtin.systemd_service:
      name: "{{ openvpn_service }}"
      state: restarted


  - name: Bounce unbound service
    ansible.builtin.systemd_service:
      name: unbound
      state: restarted