- name: add unstable to repos
  shell: |
    echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
    printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
- name: Update aptitude
  apt: update_cache=yes
- name: install wireguard
  apt: name=wireguard state=latest
- name: install linux headers (necessary on older cloud kernels (fuck u digitalocean))
  # the kernel version is hard coded because this is what DO currently uses
  # and that's what i use
  apt: name=linux-headers-4.19.0-6-cloud-amd64
- name: install misc other things the internet says i need
  apt: name=build-essential
- name: install misc other things the internet says i need      
  apt: name=dkms
- name: needed for handling dns requests
  apt: name=openresolv      
- name: enable kernel relay/forwarding
  shell: |
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.proxy_arp = 1" >> /etc/sysctl.conf
    sudo sysctl -p /etc/sysctl.conf
    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i wg0 -o wg0 -m conntrack --ctstate NEW -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.200.219.0/24 -o eth0 -j MASQUERADE
- name: ensure /etc/wireguard/ exists
  file:
    path: /etc/wireguard/
    state: directory
    
- name: Generate keys
  shell: |
    printf "[Interface]\nPrivateKey = " > /etc/wireguard/wg0.conf
     wg genkey | tee -a /etc/wireguard/wg0.conf | wg pubkey > /etc/wireguard/publickey
  vars:
    umask: "077"
- name: register publickey for later use
  shell: cat /etc/wireguard/publickey
  register: server_publickey

# do this to avoid idiot "hey you can't start, u already started!!!" erros.
# fucker.
- name: register publickey for later use
  shell: wg-quick down /etc/wireguard/wg0.conf
  ignore_errors: True