- name: Install strongSwan
  apt: pkg=strongswan-ikev2

- name: Ensure we have our private key
  file: path=/etc/ipsec.d/private/{{ inventory_hostname }}.key
        owner=root group=root
        mode=0600
  notify:
    - Missing IPSec certificate

- name: Ensure we have our public key
  file: path=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem
        owner=root group=root
        mode=0644
  notify:
    - Missing IPSec certificate

- name: Ensure we have the CA's public key
  file: path=/etc/ipsec.d/cacerts/cacert.pem
        owner=root group=root
        mode=0644
  notify:
    - Missing IPSec certificate

- name: Configure IPSec's secrets
  template: src=etc/ipsec.secrets.j2
            dest=/etc/ipsec.secrets
            owner=root group=root
            mode=0600
  register: r1
  notify:
    - Restart IPSec

- name: Configure IPSec
  template: src=etc/ipsec.conf.j2
            dest=/etc/ipsec.conf
            owner=root group=root
            mode=0644
  register: r2
  notify:
    - Restart IPSec

- name: Start IPSec
  service: name=ipsec state=started
  when: not (r1.changed or r2.changed)

- name: Auto-create a dedicated interface for IPSec
  copy: src=etc/network/if-up.d/ipsec
        dest=/etc/network/if-up.d/ipsec
        owner=root group=root
        mode=0755
  notify:
    - Reload networking

- name: Auto-deactivate the dedicated interface for IPSec
  file: src=../if-up.d/ipsec
        dest=/etc/network/if-down.d/ipsec
        owner=root group=root state=link

- meta: flush_handlers