---
- name: Create /etc/ipsec dir
  file:
    path: /etc/ipsec
    state: directory
    mode: "0700"
    owner: root
    group: wheel
  tags:
  - ipsec

- name: Enable and start isakmpd service
  service:
    name: isakmpd
    arguments: '-K'
    state: started
    enabled: yes
  tags:
  - ipsec

- name: Deploy nrpe scripts
  copy:
    src: "{{ item }}"
    dest: /usr/local/libexec/nagios/
    mode: "0755" 
  with_items:
  - 'check_ipsecctl.sh'
  - 'check_ipsecctl_multi.sh'
  tags:
  - ipsec

- name: Add sudo right to _nrpe for check ipsecctl
  lineinfile:
    dest: /etc/sudoers
    line: "{{ item }}"
    state: present
    validate: "visudo -cf %s" 
  with_items:
  - "_nrpe  ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl_multi.sh"
  - "_nrpe  ALL=(root) NOPASSWD: /usr/local/libexec/nagios/check_ipsecctl.sh"
  tags:
  - ipsec

- name: "Copy /etc/ipsec/{{ ipsec_name }}.conf"
  template:
    src: ipsec.conf.j2
    dest: "/etc/ipsec/{{ ipsec_name }}.conf"
    mode: "0600"
    owner: root
    group: wheel
  register: ipsec_conf
  tags:
  - ipsec

- name: "Check {{ ipsec_name }} config"
  command: "ipsecctl -nf /etc/ipsec/{{ ipsec_name }}.conf"
  changed_when: false
  tags:
  - ipsec

- name: "Reload ipsec {{ ipsec_name }}"
  command: "ipsecctl -f /etc/ipsec/{{ ipsec_name }}.conf"
  when: ipsec_conf.changed
  tags:
  - ipsec