---
- import_playbook: "include/deploy-kvm-guest.yml myhosts=dnagw"

- name: configure instance
  hosts: dnagw
  user: root
  gather_facts: true

  vars_files:
    - "{{ ansible_private }}/vars.yml"

  roles:
    - base
    - ifstated
    - dhcpd
    - nginx/server
    - role: nginx/site
      site: gw.home.foo.sh
    - tftp
    - websockify

  tasks:
    - name: use configured dns servers and domain name
      copy:
        dest: /etc/dhclient.conf
        content: "ignore domain-name-servers, domain-name;"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"

    - name: enable ip forwarding
      sysctl:
        name: "{{ item }}"
        sysctl_set: true
        value: "1"
      with_items:
        - net.inet.ip.forwarding
        - net.inet6.ip6.forwarding

    - name: run handlers to get interfaces configured
      meta: flush_handlers

    - name: create tftp boot directories
      file:
        path: /srv/tftpboot/etc
        state: directory
        mode: 0755
        owner: root
        group: "{{ ansible_wheel }}"
    - name: create tftp boot config for openbsd
      copy:
        dest: /srv/tftpboot/etc/boot.conf
        content: |
          stty com0 115200
          set tty com0
          boot tftp:bsd.rd
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: create tftp pxeboot loader for openbssd
      get_url:
        url: "https://mirrors.foo.sh/openbsd/6.9/amd64/pxeboot"
        checksum: sha1:e04ff88afbd41fbd33fc68bdb027c0f5bf8d29af
        dest: /srv/tftpboot/pxeboot
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
    - name: create tftp ramdisk for openbsd
      get_url:
        url: "https://mirrors.foo.sh/openbsd/6.9/amd64/bsd.rd"
        checksum: sha1:4d9df57080b89e954cef28366db52f2d66e66426
        dest: /srv/tftpboot/bsd.rd
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"

    - name: copy dns private key
      copy:
        dest: "{{ tls_private }}/dns.home.foo.sh.key"
        src: "{{ item }}"
        mode: 0600
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
        - "/srv/ca/private/{{ inventory_hostname }}.key"
      tags: certificate
      notify: restart unbound
    - name: copy dns certificate and ca cert
      copy:
        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
        src: "{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
      tags: certificate
      notify: restart unbound
    - name: copy dns zone files
      copy:
        dest: "/var/unbound/db/{{ item }}"
        src: "/srv/dns/{{ item }}"
        mode: 0644
        owner: root
        group: "{{ ansible_wheel }}"
      tags: dns
      notify: restart unbound
      with_items:
        - 20.172.in-addr.arpa
        - home.foo.sh
    - import_role:
        name: unbound