---
- name: Add Debian unstable repository
  apt_repository:
    repo: "deb {{ debian_mirror }} unstable main"
    state: present

- name: Limit unstable packages
  template:
    src: apt/preferences.d/limit-unstable.j2
    dest: /etc/apt/preferences.d/limit-unstable

- name: Install wireguard
  apt:
    update_cache: true
    name:
      - wireguard
      - resolvconf
      - linux-headers-amd64
  register: apt_result
  retries: 3
  until: apt_result is succeeded

- name: Indicate role in motd
  template:
    src: update-motd.d/05-service.j2
    dest: /etc/update-motd.d/05-wireguard
    mode: 0755

- name: Ensure wireguard directory is present
  file:
    path: /etc/wireguard
    mode: 0700
    owner: root
    group: root

- name: Deploy wireguard configuration
  template:
    src: wireguard/sputnik.conf.j2
    dest: /etc/wireguard/sputnik.conf
    mode: 0700
    owner: root
    group: root

- name: Enable and start wireguard service
  systemd:
    name: wg-quick@sputnik
    state: started
    enabled: true

- name: Install nftables
  apt:
    name: nftables
    state: present
    update_cache: true
  register: apt_result
  retries: 3
  until: apt_result is succeeded
  when: not wireguard.sputnik

- name: Deploy nftables.conf
  template:
    src: nftables.conf
    dest: /etc/nftables.conf
    mode: 0644
    owner: root
    group: root
  when: not wireguard.sputnik

- name: Enable and start nftables
  systemd:
    name: nftables
    enabled: true
    state: started
  when: not wireguard.sputnik