---
- name: Openvpn Server setup
  block:
  - name: Include vars for {{ ansible_os_family }}
    include_vars: "{{ ansible_os_family }}_{{ ansible_distribution_major_version }}.yml"

  - name: Install packages for openvpn
    package:
      name: "{{ openvpn_packages }}"
      state: present
      update_cache: yes

  - name: Install OpenVSwitch
    include_role:
      name: openvswitch
    when:
      - openvpn_bridge_type == "ovs"

#  - openvswitch_bridge:
#      bridge: "{{ openvpn_bridge }}"
#      parent: "{{ openvpn_bridgemaster }}"
#      vlan: "{{ openvpn_vlan }}"
#      state: present
#    when:
#      - openvpn_bridge_type == "ovs"

# Doesn't work !!
#  - name: try nmcli add bridge - conn_name only & ip4 gw4 mode
#    nmcli:
#      type: bridge
#      conn_name: '{{ openvpn_bridge }}'
#      ip4: '{{ openvpn_bridge_ip }}/24'
#      state: present
#    when:
#      - openvpn_bridge_type == "bridge"

  - name: Make server config directory
    file:
      path: /etc/openvpn/server
      state: directory
      owner: root
      group: root
      mode: 0750

  - name: Install vpn-up.sh script
    template:
      src: etc/openvpn/server/vpn-up-down.sh.j2
      dest: /etc/openvpn/server/vpn-up.sh
      owner: root
      group: root
      mode: 0755
  - name: Install vpn-down.sh link
    file:
      src: vpn-up.sh
      dest: /etc/openvpn/server/vpn-down.sh
      state: link
      force: yes
  # setsebool openvpn_run_unconfined on
  - name: Set boolean selinux flag for scripts
    seboolean:
      name: openvpn_run_unconfined
      state: yes
      persistent: yes
  # chcon -t openvpn_unconfined_script_exec_t vpn-up.sh
  - name: Set selinux context to vpn-up.sh script
    sefcontext:
      target: '/etc/openvpn/server/vpn-up.sh'
      setype: openvpn_unconfined_script_exec_t
      state: present

  # openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem
  # openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem
  # openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem
  # openssl dhparam -out dh2048.pem 2048
  # source vars
  # ./pkitool Client1

  # Need more step to generate certificat files
  - name: Install Certificat files
    copy:
      src: etc/openvpn/server/easy-rsa/2.0/keys/{{ item }}
      dest: /etc/openvpn/server/{{ item }}
      owner: root
      group: root
      mode: 0600
    with_items:
      - ca.crt
      - dh2048.pem
      - server.crt
      - server.key
      - ta.key

  - name: Install openvpn configuration files
    template:
      src: etc/openvpn/server/config.conf.j2
      dest: /etc/openvpn/server/{{ openvpn_vpn_name }}.{{ item.proto }}.conf
      owner: root
      group: root
      mode: 0644
    with_items:
      - '{{ openvpn_subnets }}'
    notify: Restart openvpn-server-{{ item.proto }}

  - name: Enable openvpn services
    service:
      name: "openvpn-server@{{ openvpn_vpn_name }}.{{ item.proto }}"
      enabled: yes
    with_items:
      - '{{ openvpn_subnets }}'

  - name: Install Personnal OpenVPN config file for firewalld
    template:
      src: etc/firewalld/services/openvpn.xml
      dest: /etc/firewalld/services/openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}.xml
      owner: root
      group: root
      mode: 0644
    register: result

  - name: reload firewalld to refresh service list
    command: firewall-cmd --reload
    when: result is changed

  - name: Open Firewalld
    firewalld:
      service: openvpn-{{ openvpn_vpn_name | regex_replace('\.','_') }}
      permanent: true
      state: enabled
      immediate: true

  # firewall-cmd --reload
  # firewall-cmd --add-service openvpn --permanent
  # firewall-cmd --add-service openvpn-tcp --permanent
  # firewall-cmd --zone=external --change-interface=eth0
  # firewall-cmd --add-service=openvpn --zone=external --permanent
  # firewall-cmd --add-service=openvpn-tcp --zone=external --permanent

  tags:
    - openvpn
    - openvpn-server