---
- name: Gather Facts
  ansible.builtin.setup:
- name: Include system based facts and tasks
  ansible.builtin.import_tasks: systems/main.yml

- name: Install prerequisites
  ansible.builtin.package:
    name: "{{ item }}"
    state: present
  with_items:
    - "{{ prerequisites }}"
  register: result
  until: result is succeeded
  retries: 10
  delay: 3

- name: Install strongSwan
  ansible.builtin.package:
    name: strongswan
    state: present
  register: result
  until: result is succeeded
  retries: 10
  delay: 3

- name: Setup the ipsec config
  ansible.builtin.template:
    src: roles/strongswan/templates/client_ipsec.conf.j2
    dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
    mode: "0644"
  with_items:
    - "{{ vpn_user }}"
  notify:
    - Restart strongswan

- name: Setup the ipsec secrets
  ansible.builtin.template:
    src: roles/strongswan/templates/client_ipsec.secrets.j2
    dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
    mode: "0600"
  with_items:
    - "{{ vpn_user }}"
  notify:
    - Restart strongswan

- name: Include additional ipsec config
  ansible.builtin.lineinfile:
    dest: "{{ item.dest }}"
    line: "{{ item.line }}"
    create: true
  with_items:
    - dest: "{{ configs_prefix }}/ipsec.conf"
      line: include ipsec.{{ IP_subject_alt_name }}.conf
    - dest: "{{ configs_prefix }}/ipsec.secrets"
      line: include ipsec.{{ IP_subject_alt_name }}.secrets
  notify:
    - Restart strongswan

- name: Configure libstrongswan to relax CA constraints
  ansible.builtin.copy:
    src: libstrongswan-relax-constraints.conf
    dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
    owner: root
    group: root
    mode: "0644"

- name: Setup the certificates and keys
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  with_items:
    - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
      dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
      mode: "0644"
    - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
      dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
      mode: "0644"
    - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
      dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
      mode: "0600"
  notify:
    - Restart strongswan