---
# ocserv has built-in chroot functionality

# it's fine here, other roles won't be running any pkg_add
- name: "install ocserv"
  community.general.openbsd_pkg:
    name: ocserv--
    state: present

- name: "create directory"
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: _vpn
    group: _vpn
    mode: 0700
  loop:
    - /var/reactance/ocserv
    - /var/reactance/ocserv/run
    - /var/reactance/ocserv/certs

- name: "create log file"
  ansible.builtin.file:
    path: /var/log/ocserv.log
    state: touch
    mode: "0600"
  changed_when: false

- name: "create temporary directory"
  ansible.builtin.tempfile:
    state: directory
    suffix: temp
  register: ocserv_tempdir
  notify:
    - remove_ocserv_tempdir

- name: "template out config"
  ansible.builtin.template:
    src: ocserv.conf.j2
    dest: /var/reactance/ocserv/ocserv.conf

- name: "template out init script"
  ansible.builtin.template:
    src: ocserv.rc.j2
    dest: "{{ ocserv_tempdir.path }}/ocserv.rc"

# will fail without it
- name: "copy ocserv-worker"
  ansible.builtin.copy:
    owner: _vpn
    group: _vpn
    remote_src: true
    src: /usr/local/sbin/ocserv-worker
    dest: /var/reactance/ocserv/ocserv-worker
    mode: 0770

- name: "install init script"
  ansible.builtin.shell: "install -m 755 -g bin {{ ocserv_tempdir.path }}/ocserv.rc /etc/rc.d/ocserv && rm -rf /var/reactance/ocserv/ocserv.rc"

- name: "remove /etc/ocserv (we are using /var/reactance/ocserv)"
  ansible.builtin.file:
    path: /etc/ocserv
    state: absent