- name: Install packages
  package:
    name:
      - netmask # for ocserv-script
      - ocserv
    install_recommends: false # don’t install dnsmasq for whatever reason

- name: Configure firewall
  copy:
    dest: /etc/nftables.d/
    src: ocserv.nft
  notify: reload nftables

- name: Generate CA key
  command:
    cmd: openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ca.key
    chdir: /etc/ocserv
    creates: ca.key
  notify: restart ocserv

- name: Create CA certificate
  command:
    cmd: >
      openssl req -key ca.key -out ca.crt -new -x509 -days 3650
          -subj "/O=FRI/CN=vrata"
          -addext keyUsage=critical,keyCertSign,cRLSign
    chdir: /etc/ocserv
    creates: ca.crt
  notify: restart ocserv

# this script allows routing from the client to their networks on connection
- name: Install ocserv firewall script
  copy:
    dest: /usr/local/bin/
    src: ocserv-script
    mode: 755

- name: Configure ocserv
  template:
    dest: /etc/ocserv/ocserv.conf
    src: ocserv.conf.j2
  notify: restart ocserv

- name: Create config-per-group directory
  file:
    path: /etc/ocserv/config-per-group/
    state: directory

- name: Configure ocserv routes for each group
  template:
    dest: '/etc/ocserv/config-per-group/{{ item.key }}'
    src: ocserv-group.j2
  loop: '{{ vpn.routes | dict2items }}'
  notify: restart ocserv

- name: Create ocserv service override directory
  file:
    path: /etc/systemd/system/ocserv.service.d
    state: directory
    owner: root
    group: root
    mode: 0755

- name: Set ocserv to start after network is online
  copy:
    dest: /etc/systemd/system/ocserv.service.d/override.conf
    content: |
      [Unit]
      After=network-online.target
      Wants=network-online.target
  notify: reload systemd

- name: Enable IP forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: 1
    sysctl_file: /etc/sysctl.d/99-local.conf
    sysctl_set: true