---
- name: Get the internet interface
  shell: ip route get 1.1.1.1 | head -n1 | sed -E 's/^.+dev ([^ ]+).+$/\1/'
  register: interface_result
  changed_when: False
  check_mode: False

- name: Set host interface facts
  set_fact:
    proxy_interface: "{{ interface_result.stdout | trim }}"

- name: Allow ip forwarding
  sysctl:
    name: net.ipv4.ip_forward
    value: 1
    sysctl_set: True
    reload: True
  when: inventory_hostname == tinc_primary_router

- name: Activate masquerade
  iptables:
    table: nat
    chain: POSTROUTING
    out_interface: "{{ proxy_interface }}"
    jump: MASQUERADE
  when: inventory_hostname == tinc_primary_router

- name: Allow packet forwarding from WAN to LAN
  iptables:
    chain: FORWARD
    in_interface: tun0
    out_interface: "{{ proxy_interface }}"
    jump: ACCEPT
  when: inventory_hostname == tinc_primary_router

- name: Check if incoming packets comme from an active connexion
  iptables:
    chain: FORWARD
    in_interface: "{{ proxy_interface }}"
    out_interface: tun0
    ctstate: 
      - ESTABLISHED
      - RELATED
    jump: ACCEPT
  when: inventory_hostname == tinc_primary_router

- name: Set up tinc
  include_role:
    name: tinc

- name: Set up keepalived
  include: keepalived.yml

- name: Check for internet access
  shell: |-
    false \{% for url in proxy_test_urls %}
      || curl -IsSL -m{{ proxy_test_timeout }} {{ url }} \
    {% endfor %}
      || false
  args:
    warn: False
  check_mode: False
  changed_when: no