---
- name: Deploy KVM virtual machines
  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
  vars:
    myhosts: dnagw

- name: Configure instance
  hosts: dnagw
  user: root
  gather_facts: true

  vars_files:
    - "{{ ansible_private }}/vars.yml"

  roles:
    - base
    - dhcpd
    - nginx
    - role: nginx_site
      nginx_site_name: gw.home.foo.sh
    - tftp
    - websockify

  tasks:
    - name: Enable ip forwarding
      ansible.posix.sysctl:
        name: "{{ item }}"
        sysctl_set: true
        value: "1"
      with_items:
        - net.inet.ip.forwarding
        - net.inet6.ip6.forwarding

    - name: Run handlers to get interfaces configured
      ansible.builtin.meta: flush_handlers

    - name: Import ifstated role
      ansible.builtin.import_role:
        name: ifstated

    - name: Copy DNS private key
      ansible.builtin.copy:
        dest: "{{ tls_private }}/dns.home.foo.sh.key"
        src: "{{ item }}"
        mode: "0600"
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/privkey.pem
        - "/srv/ca/private/{{ inventory_hostname }}.key"
      tags: certificates
      notify: Restart unbound

    - name: Copy DNS certificate and ca cert
      ansible.builtin.copy:
        dest: "{{ tls_certs }}/dns.home.foo.sh.crt"
        src: "{{ item }}"
        mode: "0644"
        owner: root
        group: "{{ ansible_wheel }}"
      with_first_found:
        - /srv/letsencrypt/live/dns.home.foo.sh/fullchain.pem
        - "/srv/ca/certs/hosts/{{ inventory_hostname }}.crt"
      tags: certificates
      notify: Restart unbound

    - name: Import unbound role
      ansible.builtin.import_role:
        name: unbound

    - name: Import unbound_exporter role
      ansible.builtin.import_role:
        name: unbound_exporter