---
#vpn_guard/tasks/main.yml
- name: Get host public IP
  command: curl -s https://ipinfo.io/ip
  register: host_ip
  changed_when: false
  when: not ansible_check_mode

- name: Get VPN public IP (via Gluetun)
  become: true
  become_user: "{{ container_user }}"
  command: podman exec gluetun wget -qO- https://ipinfo.io/ip
  register: vpn_ip
  changed_when: false
  when: not ansible_check_mode

- name: Fail if VPN is not active (kill switch check)
  fail:
    msg: "VPN is NOT active (host={{ host_ip.stdout }} vpn={{ vpn_ip.stdout }}). Aborting arr stack start."
  when:
    - not ansible_check_mode
    - host_ip.stdout == vpn_ip.stdout