- name: Add `nf_conntrack` to modules

      community.general.modprobe:

        name: "nf_conntrack"

        state: "present"

        persistent: "present"

      tags: config

    # Sysctl

    - name: Add the freifunk settings to sysctl config

      ansible.builtin.blockinfile:

        path: /etc/sysctl.conf

        block: |

          # Freifunk specific settings

          net.ipv4.ip_forward=1

          net.ipv4.icmp_errors_use_inbound_ifaddr=1

          net.bridge.bridge-nf-call-arptables = 0

          net.bridge.bridge-nf-call-ip6tables = 0

          net.bridge.bridge-nf-call-iptables = 0

          net.ipv6.conf.all.forwarding=1

          net.ipv6.conf.all.autoconf = 1

          net.ipv6.conf.default.autoconf = 0

          net.ipv6.conf.eth0.autoconf = 1

          net.ipv6.conf.all.accept_ra = 1

          net.ipv6.conf.default.accept_ra = 0

          net.ipv6.conf.eth0.accept_ra = 1

          net.ipv4.conf.default.rp_filter = 2

      tags: config

    - name: Reload sysctl config

      ansible.builtin.shell: sysctl -p /etc/sysctl.conf

      tags: config

    # Basic networking

    - name: Setup network interfaces (bridge + bat0)

      ansible.builtin.template:

        src: "{{ server_config_dir }}/interface/freifunk.j2"

        dest: /etc/network/interfaces.d/freifunk

        owner: root

        group: root

        mode: "0644"

      tags: config

    - name: Pull up new interfaces

      ansible.builtin.command: /usr/sbin/ifup -a

      tags: config

    - name: Copy iptables rulesv4

      ansible.builtin.copy:

        src: "{{ server_config_dir }}/iptables/rules.v4"

        dest: /etc/iptables/rules.v4

        owner: root

        group: root

        mode: "0644"

      tags: config

    - name: Restart iptables-persistent

      ansible.builtin.service:

        name: "netfilter-persistent"

        state: "restarted"

        enabled: true

      tags: config

    - name: Setup dnsmasq config w/ IPv4 ranges

      ansible.builtin.template:

        src: "{{ server_config_dir }}/dnsmasq/fflux.j2"

        dest: /etc/dnsmasq.d/fflux

        owner: root

        group: root

        mode: "0644"

      tags: config

    # fastd

    - name: Create the fflux dir inside of fastd

      ansible.builtin.file:

        path: /etc/fastd/fflux

        state: directory

        mode: "0755"

      tags: config

    - name: Setup fastd (fflux) config w/ MAC address

      ansible.builtin.template:

        src: "{{ server_config_dir }}/fastd/fastd.conf.j2"

        dest: /etc/fastd/fflux/fastd.conf

        owner: root

        group: root

        mode: "0644"

      tags: config

    - name: Create peers-gw directory in fastd/fflux

      ansible.builtin.file:

        path: /etc/fastd/fflux/peers-gw

        state: directory

        mode: "0755"

      tags: config

    - name: List all peers but ourselves

      ansible.builtin.find:

        path: "{{ server_config_dir }}/fastd/peers-gw/"

        excludes: "{{ inventory_hostname }}"

      delegate_to: localhost

      register: peers_to_copy

      tags: config

    - name: Copy fastd peers

      ansible.builtin.copy:

        src: "{{ item.path }}"

        dest: /etc/fastd/fflux/peers-gw/

        owner: root

        mode: "0644"

      with_items: "{{ peers_to_copy.files }}"

      tags: config

    - name: Copy fastd blacklist script

      ansible.builtin.copy:

        src: "{{ server_scripts_dir }}/fastd-blacklist.sh"

        dest: /etc/fastd/fflux/fastd-blacklist.sh

        owner: root

        group: root

        mode: "0755"

      tags: config

    - name: Start + Enable fastd

      ansible.builtin.service:

        name: "fastd@fflux"

        state: "started"

        enabled: true

      tags: config

    # OpenVPN

    - name: Remove client directory

      ansible.builtin.file:

        path: /etc/openvpn/client

        state: absent

      tags: config

    - name: Remove server directory

      ansible.builtin.file:

        path: /etc/openvpn/server

        state: absent

      tags: config

    - name: Copy hideme config

      ansible.builtin.copy:

        src: "{{ server_config_dir }}/openvpn/hideme.conf"

        dest: /etc/openvpn/hideme.conf

        owner: root

        group: root

        mode: "0644"

      tags: config

    - name: Copy hideme auth file

      ansible.builtin.copy:

        src: "{{ server_config_dir }}/openvpn/auth.txt"

        dest: /etc/openvpn/auth.txt

        owner: root

        group: root

        mode: "0640"

      tags: config

    - name: Copy hideme-up script

      ansible.builtin.copy:

        src: "{{ server_scripts_dir }}/hideme-up"

        dest: /etc/openvpn/hideme-up

        owner: root

        group: root

        mode: "0755"

      tags: config

    - name: Copy hideme-down script

      ansible.builtin.copy:

        src: "{{ server_scripts_dir }}/hideme-down"

        dest: /etc/openvpn/hideme-down

        owner: root

        group: root

        mode: "0755"

      tags: config

    - name: Copy update-resolv-conf

      ansible.builtin.copy:

        src: "{{ server_config_dir }}/openvpn/update-resolv-conf"

        dest: /etc/openvpn/update-resolv-conf

        owner: root

        group: root

        mode: "0755"

      tags: config

    - name: Ensure OpenVPN sevice is enabled + starts

      ansible.builtin.service:

        name: "openvpn@hideme"

        state: "started"

        enabled: true

      tags: config

    # batman-adv

    - name: Add batman-adv to modules

      community.general.modprobe:

        name: "batman-adv"

        state: "present"

        persistent: "present"

      tags: config

    - name: Add nf_conntrack to modules

      community.general.modprobe:

        name: "nf_conntrack"

        state: "present"

        persistent: "present"

      tags: config