---
#vpn/tasks/main.yml
- name: Install kernel extra modules for Gluetun firewall
  become: true
  dnf:
    name: kernel-modules-extra
    state: present
  register: kernel_modules_extra_install

- name: Check whether xt_conntrack is available for running kernel
  become: true
  command: modinfo xt_conntrack
  register: xt_conntrack_modinfo
  changed_when: false
  failed_when: false

- name: Reboot if kernel modules were installed but running kernel cannot find xt_conntrack
  become: true
  reboot:
    msg: "Rebooting to load kernel matching installed kernel-modules-extra for Gluetun firewall"
    reboot_timeout: 600
  when:
    - xt_conntrack_modinfo.rc != 0

- name: Load xt_conntrack for Gluetun firewall
  become: true
  community.general.modprobe:
    name: xt_conntrack
    state: present

- name: Persist xt_conntrack module
  become: true
  copy:
    dest: /etc/modules-load.d/gluetun.conf
    mode: "0644"
    content: |
      xt_conntrack

- name: Configure SELinux for Gluetun device access
  ansible.builtin.import_role:
    name: selinux_containers
    tasks_from: vpn

- name: Deploy Quadlet files
  template:
    src: "gluetun.container.j2"
    dest: "{{ container_config_dir }}/gluetun.container"
  
- name: Force systemd reload (blocking)
  become: true
  become_user: "{{ container_user }}"
  environment:
    XDG_RUNTIME_DIR: "{{ container_runtime_dir }}"
  command: systemctl --user daemon-reload

- name: Wait for quadlet generation
  pause:
    seconds: 1

- name: Start vpn
  become: true
  become_user: "{{ container_user }}"
  environment:
    XDG_RUNTIME_DIR: "{{ container_runtime_dir }}"
  systemd:
    name: gluetun.service
    scope: user
    state: started

- name: Wait for Gluetun container to exist
  become: true
  become_user: "{{ container_user }}"
  command: podman container exists gluetun
  register: gluetun_exists
  retries: 20
  delay: 2
  until: gluetun_exists.rc == 0
  changed_when: false

- name: Wait for Gluetun to stabilize
  pause:
    seconds: 5