---

- name: Install wireguard
  ansible.builtin.apt:
    name:
      - wireguard
    state: latest

- name: Copy config
  ansible.builtin.copy:
    src: wireguard.cfg
    dest: /etc/wireguard/simponic.conf
    owner: root
    group: root
    mode: 0600

- name: Enable and persist ip forwarding
  ansible.builtin.sysctl:
    name: net.ipv4.ip_forward
    value: "1"
    state: present
    sysctl_set: true
    reload: true

- name: Allow wireguard endpoint ufw
  ansible.builtin.ufw:
    rule: allow
    port: '51820'
    proto: 'udp'

- name: Start wireguard and enable on boot
  ansible.builtin.systemd:
    name: wg-quick@simponic
    enabled: true
    state: started

- name: Hotreload wireguard
  ansible.builtin.shell: >
    bash -c
    "wg syncconf mmtmesh <(wg-quick strip mmtmesh)"