---

# hash describing community expected as "mf_com";
# also expected: "f_ssh_keyfile" and "mf_com_repo"

- name: clone key repo - {{mf_com.abbreviation}}
  git:
    dest: "{{mf_com_repo}}"
    key_file: "{{f_ssh_keyfile.stdout}}"
    repo: "ssh://git@github.com/{{mf_com.repo}}"
    update: no
    accept_hostkey: yes

  # the following is a crude but functional work-around the problem that
  # the git module wouldn't clone the repo with the ssh-config-entry
  # in the url, but git wouldn't push without it (due to missing
  # connection to the ssh key)
- name: change git url to pushable
  git_config:
    repo: "{{mf_com_repo}}"
    scope: local
    name: "remote.origin.url"
    value: "ssh://github_mwu/{{mf_com.repo}}"

- name: generate fastd key pair - {{mf_com.abbreviation}}
  command: fastd --generate-key
           creates="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
  register: f_key_pair

- block:

#  - debug: var=f_key_pair

  - name: write out fastd secret key - {{mf_com.abbreviation}}
    lineinfile:
      backup: yes
      create: yes
      dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf"
      insertbefore: BOF
      line: secret "{{f_key_pair.stdout_lines[0] |regex_replace('^Secret. ','')}}";
      mode: 0400
      regexp: '^secret ".*";'
      state: present

  - name: write out fastd public key - {{mf_com.abbreviation}}
    lineinfile:
      create: yes
      dest: "{{mf_com_repo}}/servers/{{fastd_alias}}"
      insertbefore: BOF
      line: key "{{f_key_pair.stdout_lines[1] |regex_replace('^Public. ','')}}";
      mode: 0440
      regexp: '^key ".*";'
      state: present
    register: f_pub_key
    ignore_errors: True

  - name: delete secret in case of public failure - {{mf_com.abbreviation}}
    file: path="/etc/fastd/{{mf_com.abbreviation}}VPN/secret.conf" state=absent
    when: f_pub_key.failed is defined

  - fail: msg="FAILED writing fastd key pair"
    when: f_pub_key.failed is defined

  when: f_key_pair.changed
  # end of block

- name: template out fastd.conf - {{mf_com.abbreviation}}
  template:
    backup: yes
    dest: "/etc/fastd/{{mf_com.abbreviation}}VPN/fastd.conf"
    mode: 0640
    src: "{{mf_com_templ}}"
    validate: 'fastd --verify-config -c %s'