---
- name: Install the OpenVPN main packages
  apt: pkg={{ item }} state={{ openvpn_pkg_state }} update_cache=yes
  with_items: '{{ openvpn_pkgs }}'
  tags: openvpn

- name: Install the OpenVPN radius auth plugin package
  apt: pkg={{ item }} state={{ openvpn_pkg_state }}
  with_items: '{{ openvpn_radius_pkg }}'
  when: openvpn_radius_auth
  tags: openvpn

- name: Install the OpenVPN ldap auth plugin package
  apt: pkg={{ item }} state={{ openvpn_pkg_state }}
  with_items: '{{ openvpn_ldap_pkg }}'
  when: openvpn_ldap_auth
  tags: openvpn

- name: Install the OpenVPN PAM auth plugin
  shell: cp /usr/lib/openvpn/openvpn-plugin-auth-pam.so {{ openvpn_conf_dir }}/openvpn-plugin-auth-pam.so
  args:
    creates: '{{ openvpn_conf_dir }}/openvpn-plugin-auth-pam.so'
  when: openvpn_username_pam_auth
  tags: openvpn

- name: Remove the OpenVPN PSM auth plugin
  file: dest={{ openvpn_conf_dir }}/openvpn-plugin-auth-pam.so state=absent
  when: not openvpn_username_pam_auth
  tags: openvpn

- name: Create the ipp and status subdirs
  file: dest={{ openvpn_conf_dir }}/{{ item }} state=directory
  with_items:
    - ipp
    - status
  tags: openvpn

- name: Install the main OpenVPN configuration file
  template: src=openvpn.conf.j2 dest={{ openvpn_conf_dir }}/{{ openvpn_conf_name }} owner=root group=root mode=0444
  notify: Reload OpenVPN
  tags: openvpn

- name: Create the dh file
  shell: openssl dhparam -out {{ openvpn_conf_dir }}/dh2048.pem 2048 ; chmod 444 {{ openvpn_conf_dir }}/dh2048.pem
  args:
    creates: '{{ openvpn_conf_dir }}/dh2048.pem'
  tags: openvpn
  
- name: Create the ta key
  shell: cd {{ openvpn_conf_dir }} ; openvpn --genkey --secret ta.key ; chmod 400 {{ openvpn_conf_dir }}/ta.key
  args:
    creates: '{{ openvpn_conf_dir }}/ta.key'
  tags: openvpn

- name: Ensure that the OpenVPN service is enabled and running
  service: name=openvpn state=started enabled=yes
  when: openvpn_enabled
  tags: openvpn

- name: Ensure that the OpenVPN service is stopped and disabled
  service: name=openvpn state=stopped enabled=no
  when: not openvpn_enabled
  tags: openvpn

- name: Enable kernel forwarding
  sysctl: name={{ item }} value=1 reload=yes state=present
  with_items:
    - net.ipv4.ip_forward
#    - net.ipv6.conf.all.forwarding
  when: openvpn_enable_system_forward
  tags: openvpn

- name: Disable kernel forwarding
  sysctl: name={{ item }} value=0 reload=yes state=present
  with_items:
    - net.ipv4.ip_forward
#    - net.ipv6.conf.all.forwarding
  when: not openvpn_enable_system_forward
  tags: openvpn