- name: Install wireguard
  apt:
    name: [wireguard, qrencode]
    state: present
    update_cache: yes

- name: Ensure key dir
  file: { path: /etc/wireguard/keys, state: directory, mode: '0700' }

- name: Generate private key if missing
  shell: "[ -f /etc/wireguard/keys/privatekey ] || (umask 077 && wg genkey > /etc/wireguard/keys/privatekey)"
  args: { creates: /etc/wireguard/keys/privatekey }

- name: Generate public key
  shell: "wg pubkey < /etc/wireguard/keys/privatekey > /etc/wireguard/keys/publickey"
  args: { creates: /etc/wireguard/keys/publickey }

- name: Read pubkey
  slurp: { src: /etc/wireguard/keys/publickey }
  register: pubkey_raw

- name: Read private key
  slurp: { src: /etc/wireguard/keys/privatekey }
  register: privkey_raw

- set_fact:
    wg_public_key: "{{ pubkey_raw.content | b64decode | trim }}"
    wg_private_key: "{{ privkey_raw.content | b64decode | trim }}"

- name: Gather facts from all hosts
  setup:
  delegate_to: "{{ item }}"
  delegate_facts: true
  loop: "{{ groups['k8s_nodes'] }}"
  run_once: true

- name: Pretty print hostvars
  debug:
    msg: "{{ hostvars['hetzner-1']['wg_public_key']  }}"

- name: Render config
  template:
    src: wg0.conf.j2
    dest: /etc/wireguard/wg0.conf
    mode: '0600'

- name: Enable IP forward
  sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    sysctl_set: yes
    state: present
    reload: yes

- name: Enable wg-quick
  service:
    name: wg-quick@wg0
    enabled: yes
    state: started

- debug:
    var: wg_show.stdout