- hosts: 
  - "{{ proxy_server_hostname }}"
  #- "{{ proxy_server_hostname }}-defaultport"
  become: 'yes'
  ignore_errors: true
  vars:

    # Packages to install
    packages:
      # System
      - linux-headers-amd64
      - build-essential
      - ssh
      - mount
      - vim
      - neofetch
      - htop

      # Reverse Proxy/Webserver
      - nginx
      - libnginx-mod-stream # Module allowing to proxy TCP, UDP (1.9.13), UNIX-domain sockets requests. 
      - libnginx-mod-mail # Module allowing to proxy IMAP, POP3 & SMTP.
      - haproxy # Alternate dedicated Reverse Proxy, using for mail

      # VPN Server
      - wireguard

      # TLS
      - certbot
      - python3-certbot-nginx

      # Firewall
      - iptables-persistent

  tasks:
    - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"
    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
      become: yes
      replace:
        path: /etc/doas.conf
        regexp: 'persist'
        replace: 'nopass'

    # System Setup
    - name: Ensure .bashrc is updated
      template:
        src: proxy_resources/.bashrc
        dest: "~/.bashrc"
    - name: Add contrib
      replace:
        dest: /etc/apt/sources.list
        regexp: '^(deb(?!.* contrib).*)'
        replace: '\1 contrib'
    - name: Ensure list of packages is installed
      apt:
        name: '{{ packages }}'
        state: present
    # SSH Server Setup
    - name: Enable SSH
      ansible.builtin.systemd:
        name: ssh
        state: started
    - name: Ensure sshd configuration is updated
      template:
        src: proxy_resources/etc/ssh/sshd_config
        dest: "/etc/ssh/sshd_config"
    # Wireguard VPN Server Setup
    - name: Ensure wireguard server configuration is updated
      ansible.builtin.template:
        src: proxy_resources/etc/wireguard/wg0.conf
        dest: /etc/wireguard/wg0.conf
    - name: Enable and persist ip forwarding
      sysctl:
        name: net.ipv4.ip_forward
        value: "1"
        state: present
        sysctl_set: yes
        reload: yes
    - name: Enable wireguard server
      systemd:
        name: wg-quick@wg0
        enabled: yes
        state: started
    # NGinx Reverse Proxy/Webserver Setup
    - name: Ensure NGinx main config is updated
      template:
        src: proxy_resources/etc/nginx/nginx.conf
        dest: /etc/nginx/nginx.conf
    - name: Ensure NGinx sites config directory exists 
      ansible.builtin.file:
        path: /etc/nginx/sites-available/
        state: directory

    # Experimental NGinx Email Proxy
    #    - name: Ensure Email Proxy Authentication Server is updated
    #      ansible.builtin.template:
    #        src: proxy_resources/home/mail-authserver.py
    #        dest: ~/mail-authserver.py
    # HAProxy Reverse Proxy Setup
    - name: Ensure HAProxy configuration is updated for mail and technitium DNS reverse proxying
      template:
        src: proxy_resources/etc/haproxy/haproxy.cfg
        dest: "/etc/haproxy/haproxy.cfg"

    - name: Reset doas configuration back to default
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"

    # End
    - name: Debug Finish message
      debug:
        msg: Ansible playbook has finished!