# playbook to go from a "base configured" server to a strongswan vpn

- hosts: vpn
  remote_user: josiah
  gather_facts: false
  become: yes
  vars:
    vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
    remote_host: 165.22.156.25
    local_host:  0.0.0.0

  tasks:
    - name: Update apt
      apt: update_cache=yes

    - name: Install required system packages
      apt: name={{ vpn_packages }} state=latest

    - name: set kernel params
      shell: |
        cat >> /etc/sysctl.conf << EOF
        net.ipv4.ip_forward = 1 
        net.ipv4.conf.all.accept_redirects = 0 
        net.ipv4.conf.all.send_redirects = 0
        EOF

    - name: save kernel params
      shell: sysctl -p /etc/sysctl.conf
      
    - name: Generate preshared key
      shell: openssl rand -hex 32
      register: awful_psk

    - debug:
        msg: got this key {{ awful_psk }}

    - name: Copy my ipsec.conf file to the VPN host
      # this file does a lot. view more info in the readme.md
      copy:
        src: ipsec.conf
        dest: /etc/ipsec.conf
        owner: root
        group: root

    - name: remove existing ipsec.secerts
      shell: rm /etc/ipsec.secrets

    - name: create ipsec.secrets with psk info
      shell: |
        cat >> /etc/ipsec.secrets << EOF
        {{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
        EOF
      
    - name: update route rules
      shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE

    # - name: copy psk down to local machine
    #   local_action: copy_content={{ awful_psk }} dest=psk.txt