---
- block: 
    - name: Install the OpenVPN main packages
      apt: pkg={{ openvpn_pkgs }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800

    - name: Create the auth, ipp, ccd and status subdirs
      file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory owner={{ openvpn_unprivileged_user }} group=root mode=0770
      with_items:
        - ipp
        - status
        - auth
        - ccd

  when: openvpn_enabled
  tags: openvpn

- block: 
    - name: Install the OpenVPN radius auth plugin package
      apt: pkg={{ openvpn_radius_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800

  when: openvpn_radius_auth
  tags: [ 'openvpn', 'openvpn_radius' ]

- block:
    - name: Install the OpenVPN ldap auth plugin package
      apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800

    - name: Install the LDAP auth configuration file
      template: src=auth-ldap.conf.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf owner=root group={{ openvpn_unprivileged_group }} mode=0440
      notify: Reload OpenVPN

  when: openvpn_ldap_auth
  tags: [ 'openvpn', 'openvpn_ldap' ]

- block:
    - name: Remove the LDAP auth configuration file if LDAP is not used
      file: dest={{ openvpn_conf_dir }}/auth/auth-ldap.conf state=absent
      notify: Reload OpenVPN

  when: not openvpn_ldap_auth
  tags: [ 'openvpn', 'openvpn_ldap' ]

- block:
    - name: Install the perl libraries needed by the LDAP client authentication script
      apt: pkg={{ openvpn_perl_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800

    - name: Install the perl LDAP auth script
      template: src=auth-ldap.pl.j2 dest={{ openvpn_conf_dir }}/auth/auth-ldap owner=root group={{ openvpn_unprivileged_group }} mode=0550

  when: openvpn_ldap_perl_auth
  tags: [ 'openvpn', 'openvpn_ldap' ]

- block:
    - name: Install the main OpenVPN configuration file on the servers
      template: src=server.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
      notify: Restart OpenVPN

    - name: Install the custom configuration for specific OpenVPN users in the servers
      template: src=user-ccd.conf.j2 dest={{ openvpn_conf_dir }}/ccd/{{ item.user }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
      with_items: '{{ openvpn_users_customizations | default([]) }}'
      notify: Reload OpenVPN

    - name: Install the easy-rsa package on servers when we use the certificate authentication
      apt: pkg=easy-rsa state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
      when:
        - openvpn_cert_auth_enabled
        - openvpn_is_master_host

  when: openvpn_mode == 'server'
  tags: [ 'openvpn', 'openvpn_conf' ]

- block:
    - name: Install the main OpenVPN configuration file on the clients
      template: src=client.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group={{ openvpn_unprivileged_group }} mode=0440
      notify: Restart OpenVPN

  when: openvpn_mode != 'server'
  tags: [ 'openvpn', 'openvpn_conf' ]

- block:
    - name: Install the OpenVPN init defaults
      template: src=openvpn-defaults.j2 dest=/etc/default/openvpn owner=root group=root mode=0444
      notify:
        - Restart OpenVPN
        - Reload systemd

  tags: [ 'openvpn', 'openvpn_conf' ]

- block:
    - name: Create the dh file
      shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048
      args:
        creates: '{{ openvpn_conf_dir }}/dh2048.pem'
  
    - name: Fix the dh file permissions
      file: dest={{ openvpn_conf_dir }}/dh2048.pem owner=root group=root mode=0444 

    - name: Create the ta key
      shell: cd {{ openvpn_conf_dir }} && openvpn --genkey --secret ta.key
      args:
        creates: '{{ openvpn_conf_dir }}/ta.key'

    - name: Fix the ta.key file permissions
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 

  when: openvpn_is_master_host or not openvpn_ha
  tags: [ 'openvpn', 'openvpn_conf' ]

- block:
    - name: Get the dh file from the master host
      synchronize:
        src: '{{ openvpn_conf_dir }}/dh2048.pem'
        #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
        dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
      delegate_to: '{{ openvpn_master_host }}'
      ignore_errors: True
      
    - name: Relax the ta.key file permissions so that it can be copied around
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
      delegate_to: '{{ openvpn_master_host }}'
      ignore_errors: True

    - name: Get the ta key from the master host
      synchronize:
        src: '{{ openvpn_conf_dir }}/ta.key'
        #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
        dest: '/{{ openvpn_conf_dir }}/ta.key'
      delegate_to: '{{ openvpn_master_host }}'
      ignore_errors: True

    - name: Fix the ta.key file permissions
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 

    - name: Fix the ta.key file permissions on the master host
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
      delegate_to: '{{ openvpn_master_host }}'
      ignore_errors: True

  when:
    - openvpn_ha
    - not openvpn_is_master_host
  tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]

- block:
    - name: Get the dh file from the master host
      synchronize:
        src: '{{ openvpn_conf_dir }}/dh2048.pem'
        #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
        dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
      delegate_to: '{{ openvpn_master_host }}'

    - name: Relax the ta.key file permissions so that it can be copied around
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
      delegate_to: '{{ openvpn_master_host }}'

    - name: Get the ta key from the master host
      synchronize:
        src: '{{ openvpn_conf_dir }}/ta.key'
        #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/ta.key'
        dest: '/{{ openvpn_conf_dir }}/ta.key'
      delegate_to: '{{ openvpn_master_host }}'
      ignore_errors: True

    - name: Fix the ta.key file permissions
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 

    - name: Fix the ta.key file permissions on the master host
      file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
      delegate_to: '{{ openvpn_master_host }}'

  when: openvpn_mode != 'server'
  tags: [ 'openvpn', 'openvpn_conf', 'openvpn_shared_secrets' ]


- block:
    - name: Enable kernel forwarding
      sysctl: name={{ item }} value=1 reload=yes state=present
      with_items:
        - net.ipv4.ip_forward
        # - net.ipv6.conf.all.forwarding
      when:
        - openvpn_enable_system_forward
        - openvpn_enabled

    - name: Disable kernel forwarding
      sysctl: name={{ item }} value=0 reload=yes state=present
      with_items:
        - net.ipv4.ip_forward
        # - net.ipv6.conf.all.forwarding
      when: not openvpn_enable_system_forward

    - name: Ensure that the OpenVPN service is enabled and running
      service: name=openvpn state=started enabled=yes
      when: openvpn_enabled

    - name: Ensure that the OpenVPN service is stopped and disabled
      service: name=openvpn state=stopped enabled=no
      when: not openvpn_enabled

  tags: openvpn