---
- name: openvpn | Manage the packages and the file system
  when: openvpn_enabled
  tags: openvpn
  block:
    - name: openvpn | Install the OpenVPN main packages
      ansible.builtin.apt:
        pkg: "{{ openvpn_pkgs }}"
        state: "{{ openvpn_pkg_state }}"
        update_cache: true
        cache_valid_time: 1800
    - name: openvpn | Create the auth, ipp, ccd and status subdirs
      ansible.builtin.file:
        dest: "{{ openvpn_conf_dir }}/{{ item }}"
        state: directory
        owner: "{{ openvpn_unprivileged_user }}"
        group: root
        mode: "0770"
      loop:
        - ipp
        - status
        - auth
        - ccd

- name: openvpn | Management key
  when: openvpn_management_enabled
  tags: ['openvpn', 'openvpn_management']
  block:
    - name: openvpn | Install the OpenVPN management key file
      ansible.builtin.template:
        src: management.txt.j2
        dest: "{{ openvpn_management_file }}"
        owner: root
        group: root
        mode: "0400"

- name: openvpn | Plugins to enable the radius authentication
  when: openvpn_radius_auth
  tags: ['openvpn', 'openvpn_radius']
  block:
    - name: openvpn | Install the OpenVPN radius auth plugin package
      ansible.builtin.apt:
        pkg: "{{ openvpn_radius_pkg }}"
        state: "{{ openvpn_pkg_state }}"
        update_cache: true
        cache_valid_time: 1800

- name: openvpn | Plugin that manages the LDAP authentication
  when: openvpn_ldap_auth
  tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf']
  block:
    - name: openvpn | Install the OpenVPN ldap auth plugin package
      ansible.builtin.apt:
        pkg: "{{ openvpn_ldap_pkg }}"
        state: "{{ openvpn_pkg_state }}"
        update_cache: true
        cache_valid_time: 1800
    - name: openvpn | Install the LDAP auth configuration file
      ansible.builtin.template:
        src: auth-ldap.conf.j2
        dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf"
        owner: root
        group: "{{ openvpn_unprivileged_group }}"
        mode: "0440"
      notify: Reload OpenVPN

- name: openvpn | Remove the LDAP plugin configuration
  when: not openvpn_ldap_auth
  tags: ['openvpn', 'openvpn_ldap', 'openvpn_basic_conf']
  block:
    - name: openvpn | Remove the LDAP auth configuration file if LDAP is not used
      ansible.builtin.file:
        dest: "{{ openvpn_conf_dir }}/auth/auth-ldap.conf"
        state: absent
      notify: Reload OpenVPN

- name: openvpn | OpenVPN configuration
  when: openvpn_mode == 'server'
  tags: ['openvpn', 'openvpn_conf']
  block:
    - name: openvpn | Install the main OpenVPN configuration file on the servers
      ansible.builtin.template:
        src: server.conf.j2
        dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}"
        owner: root
        group: "{{ openvpn_unprivileged_group }}"
        mode: "0440"
      notify: Restart OpenVPN
      tags: ['openvpn', 'openvpn_conf', 'openvpn_conf_file', 'openvpn_basic_conf']
    - name: openvpn | Install the custom configuration for specific OpenVPN users in the servers
      ansible.builtin.template:
        src: user-ccd.conf.j2
        dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}"
        owner: root
        group: "{{ openvpn_unprivileged_group }}"
        mode: "0440"
      loop: '{{ openvpn_users_customizations | default([]) }}'
      when: item.state is not defined or item.state == "present"
      tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd']
    - name: openvpn | Remove some ccd configurations
      ansible.builtin.file:
        dest: "{{ openvpn_conf_dir }}/ccd/{{ item.cn }}"
        state: absent
      loop: '{{ openvpn_users_customizations | default([]) }}'
      when: item.state defined and item.state == "absent"
      tags: ['openvpn', 'openvpn_conf', 'openvpn_ccd']
    - name: openvpn | Install the easy-rsa package on servers when we use the certificate authentication
      ansible.builtin.apt:
        pkg: easy-rsa
        state: "{{ openvpn_pkg_state }}"
        update_cache: true
        cache_valid_time: 1800
      when:
        - openvpn_cert_auth_enabled | bool
        - openvpn_is_master_host | bool

- name: openvpn | Clients configuration
  when: openvpn_mode != 'server'
  tags: ['openvpn', 'openvpn_conf']
  block:
    - name: openvpn | Install the main OpenVPN configuration file on the clients
      ansible.builtin.template:
        src: client.conf.j2
        dest: "{{ openvpn_conf_dir }}/{{ openvpn_conf_name }}"
        owner: root
        group: "{{ openvpn_unprivileged_group }}"
        mode: "0440"
      notify: Restart OpenVPN

- name: openvpn | Service defaults
  tags: ['openvpn', 'openvpn_conf']
  block:
    - name: openvpn | Install the OpenVPN init defaults
      ansible.builtin.template:
        src: openvpn-defaults.j2
        dest: /etc/default/openvpn
        owner: root
        group: root
        mode: "0444"
      notify:
        - Restart OpenVPN
        - Reload systemd

- name: openvpn | Manage the ta and dh files
  when: openvpn_is_master_host
  tags: ['openvpn', 'openvpn_conf']
  block:
    - name: openvpn | Create the dh file
      ansible.builtin.command: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
      args:
        creates: '{{ openvpn_conf_dir }}/dh2048.pem'
    - name: openvpn | Fix the dh file permissions
      ansible.builtin.file:
        dest: "{{ openvpn_conf_dir }}/dh2048.pem"
        owner: root
        group: root
        mode: "0444"
    - name: openvpn | Create the ta key
      ansible.builtin.command: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
      args:
        creates: '{{ openvpn_conf_dir }}/ta.key'
    - name: openvpn | Fix the ta.key file permissions
      ansible.builtin.file:
        dest: "{{ openvpn_conf_dir }}/ta.key"
        owner: root
        group: root
        mode: "0400"
    - name: openvpn | Fetch both the ta and the dh files from the master node
      ansible.builtin.fetch:
        src: "{{ item }}"
        dest: /tmp/openvpn_secrets
      loop:
        - '{{ openvpn_conf_dir }}/ta.key'
        - '{{ openvpn_conf_dir }}/dh2048.pem'

- name: openvpn | Manage the ta and dh files in the remote nodes
  when: not openvpn_is_master_host
  tags: ['openvpn', 'openvpn_conf', 'openvpn_shared_secrets']
  block:
    - name: openvpn | Install the dh and ta.key files
      ansible.builtin.copy:
        src: "/tmp/openvpn_secrets/{{ openvpn_master_host }}/{{ openvpn_conf_dir }}/{{ item }}"
        dest: "{{ openvpn_conf_dir }}/{{ item }}"
        owner: root
        group: root
        mode: "0400"
        force: true
      loop:
        - 'ta.key'
        - 'dh2048.pem'

- name: openvpn | Manage the service status
  tags: ['openvpn', 'openvpn_service']
  block:
    - name: openvpn | Ensure that the OpenVPN service is enabled and running
      ansible.builtin.service:
        name: openvpn
        state: started
        enabled: true
      when: openvpn_enabled

    - name: openvpn | Ensure that the OpenVPN service is stopped and disabled
      ansible.builtin.service:
        name: openvpn
        state: stopped
        enabled: false
      when: not openvpn_enabled

- name: openvpn | Manage the kernel forwarding
  tags: ['openvpn', 'openvpn_kernel_forwarding']
  block:
    - name: openvpn | Enable kernel forwarding
      ansible.posix.sysctl:
        name: "{{ item }}"
        value: "{% if openvpn_enable_system_forward and openvpn_enabled %}1{% else %}0{% endif %}"
        reload: true
        state: present
      loop:
        - net.ipv4.ip_forward
        # - net.ipv6.conf.all.forwarding

- name: openvpn | Manage the SYN cookies settings
  tags: ['openvpn', 'openvpn_kernel_syn_cookies']
  block:
    - name: openvpn | Disable tcp syn cookies
      ansible.posix.sysctl:
        name: "{{ item }}"
        value: "{% if openvpn_disable_tcp_syn_cookie and openvpn_protocol == 'tcp' %}0{% else %}1{% endif %}"
        reload: true
        state: present
      loop:
        - net.ipv4.tcp_syncookies
      when:
        - openvpn_disable_tcp_syn_cookie | bool
        - openvpn_protocol == 'tcp'