---

- name: ensure tinc netname directory exists
  file:
    path: "/etc/tinc/{{ netname }}/hosts"
    recurse: True
    state: directory

- name: ensure tinc.conf contains connection to all other nodes
  template:
    src: tinc.conf.j2
    dest: "/etc/tinc/{{ netname }}/tinc.conf"
  notify:
    - reload tinc

- name: create tinc-up file
  template:
    src: tinc-up.j2
    dest: "/etc/tinc/{{ netname }}/tinc-up"
    mode: 0755
  notify:
    - restart tinc

- name: create tinc-down file
  template:
    src: tinc-down.j2
    dest: "/etc/tinc/{{ netname }}/tinc-down"
    mode: 0755
  notify:
    - restart tinc

- name: ensure tinc hosts file binds to physical ip address
  lineinfile:
    dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
    line: "Address = {{ ansible_host }}"
    create: yes
  notify:
    - restart tinc

- name: ensure tinc hosts file has virtual ip address
  lineinfile:
    dest: "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
    line: "Subnet = {{ vpn_ip }}/32"
    create: yes
  notify:
    - restart tinc

- name: check whether /etc/tinc/netname/hosts/inventory_hostname contains "-----END RSA PUBLIC KEY-----"
  command: awk '/^-----END RSA PUBLIC KEY-----$/'  "/etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}"
  changed_when: "public_key.stdout != '-----END RSA PUBLIC KEY-----'"
  register: public_key

# this is necessary because the public key will not be generated (non-interactively) if the private key already exists
- name: delete private key and regenerate keypair if public key is absent from tinc hosts file
  file:
    path: /etc/tinc/{{ netname }}/rsa_key.priv
    state: absent
  when: public_key.changed

- name: create tinc private key (and append public key to tincd hosts file)
  shell: tincd -n {{ netname }} -K4096
  args:
    creates: /etc/tinc/{{ netname }}/rsa_key.priv
  notify:
    - restart tinc

- name: fetch tinc hosts file after key creation
  fetch:
    src: /etc/tinc/{{ netname }}/hosts/{{ inventory_hostname }}
    dest: fetch/{{ inventory_hostname }}
    flat: yes
  notify:
    - reload tinc

- name: sync the fetched tinc hosts files on each host
  synchronize:
    src: fetch/
    dest: /etc/tinc/{{ netname }}/hosts/
  notify:
    - reload tinc

- name: run handlers
  meta: flush_handlers

- name: ensure tinc is started
  systemd:
    name: "tinc@{{ netname }}"
    enabled: true
    state: started