- name: Allow Nebula UDP traffic
  ufw:
    rule: allow
    port: "{{ nebula_port }}"
    proto: udp

- name: Download Nebula release
  unarchive:
    src: "https://github.com/slackhq/nebula/releases/download/v{{ nebula_version }}/nebula-linux-amd64.tar.gz"
    dest: /usr/local/bin/
    remote_src: true
    creates: /usr/local/bin/nebula
    include:
      - nebula
      - nebula-cert

- name: Create Nebula config directory
  file:
    path: /etc/nebula
    state: directory
    owner: root
    group: root
    mode: "0700"

- name: Generate Nebula CA
  command: >
    nebula-cert ca
    -name "linderhof"
    -out-crt /etc/nebula/ca.crt
    -out-key /etc/nebula/ca.key
  args:
    creates: /etc/nebula/ca.key

- name: Generate host certificate
  command: >
    nebula-cert sign
    -ca-crt /etc/nebula/ca.crt
    -ca-key /etc/nebula/ca.key
    -name "lighthouse"
    -ip "{{ nebula_lighthouse_ip }}/{{ nebula_subnet.split('/')[1] }}"
    -out-crt /etc/nebula/host.crt
    -out-key /etc/nebula/host.key
  args:
    creates: /etc/nebula/host.key

- name: Deploy Nebula config
  template:
    src: config.yml.j2
    dest: /etc/nebula/config.yml
    owner: root
    group: root
    mode: "0600"
  notify: Restart nebula

- name: Deploy Nebula systemd unit
  template:
    src: nebula.service.j2
    dest: /etc/systemd/system/nebula.service
    owner: root
    group: root
    mode: "0644"
  notify: Restart nebula

- name: Enable and start Nebula
  systemd:
    name: nebula
    enabled: true
    state: started
    daemon_reload: true