---
- name: Add WireGuard Client
  hosts: vpn
  become: true
  gather_facts: false
  
  vars_prompt:
    - name: client_name
      prompt: "Client-Name"
      private: false
    
    - name: client_ip
      prompt: "Client-IP (z.B. 10.8.0.30)"
      private: false
  
  tasks:
    - name: Validiere Eingaben
      fail:
        msg: "client_name und client_ip müssen angegeben werden"
      when: client_name | length == 0 or client_ip | length == 0
    
    - name: Prüfe ob Client bereits existiert
      stat:
        path: /etc/wireguard/clients/{{ client_name }}.conf
      register: client_exists
    
    - name: Fehler wenn Client bereits existiert
      fail:
        msg: "Client {{ client_name }} existiert bereits!"
      when: client_exists.stat.exists
    
    - name: Prüfe IP-Konflikt
      shell: grep -r "Address.*{{ client_ip }}" /etc/wireguard/clients/ || true
      register: ip_conflict
      changed_when: false
    
    - name: Fehler bei IP-Konflikt
      fail:
        msg: "IP {{ client_ip }} wird bereits verwendet!"
      when: ip_conflict.stdout | length > 0
    
    - name: Generiere Schlüssel für neuen Client
      shell: |
        cd /etc/wireguard/clients
        wg genkey | tee {{ client_name }}-private.key | wg pubkey > {{ client_name }}-public.key
        chmod 600 {{ client_name }}-private.key {{ client_name }}-public.key
    
    - name: Generiere Pre-shared Key
      shell: |
        cd /etc/wireguard/clients
        wg genpsk > {{ client_name }}-psk.key
        chmod 600 {{ client_name }}-psk.key
      when: wireguard_pre_shared_key | default(false)
    
    - name: Lese Server-Public-Key
      slurp:
        src: /etc/wireguard/server-public.key
      register: server_pub_key
    
    - name: Lese Client-Private-Key
      slurp:
        src: /etc/wireguard/clients/{{ client_name }}-private.key
      register: client_priv_key
    
    - name: Lese Client-Public-Key
      slurp:
        src: /etc/wireguard/clients/{{ client_name }}-public.key
      register: client_pub_key
    
    - name: Lese Pre-shared Key
      slurp:
        src: /etc/wireguard/clients/{{ client_name }}-psk.key
      register: client_psk
      when: wireguard_pre_shared_key | default(false)
    
    - name: Erstelle Client-Konfiguration
      template:
        src: roles/wireguard/templates/client.conf.j2
        dest: /etc/wireguard/clients/{{ client_name }}.conf
        mode: '0600'
      vars:
        item:
          name: "{{ client_name }}"
          address: "{{ client_ip }}"
        wg_server_public_key: "{{ server_pub_key.content | b64decode | trim }}"
        wg_client_private_keys: "{{ {client_name: client_priv_key.content | b64decode | trim} }}"
        wg_client_psk_keys: "{{ {client_name: client_psk.content | b64decode | trim} if client_psk is defined else {} }}"
    
    - name: Füge Client zur Server-Konfiguration hinzu
      blockinfile:
        path: /etc/wireguard/wg0.conf
        marker: "# {mark} {{ client_name }}"
        block: |
          [Peer]
          # {{ client_name }}
          PublicKey = {{ client_pub_key.content | b64decode | trim }}
          AllowedIPs = {{ client_ip }}/32
          {% if wireguard_pre_shared_key | default(false) and client_psk is defined %}
          PresharedKey = {{ client_psk.content | b64decode | trim }}
          {% endif %}
    
    - name: Starte WireGuard neu
      systemd:
        name: wg-quick@wg0
        state: restarted
    
    - name: Zeige Erfolg
      debug:
        msg: |
          ✅ Client {{ client_name }} wurde erfolgreich hinzugefügt!
          📂 Konfiguration: /etc/wireguard/clients/{{ client_name }}.conf
          💾 Download: make download-configs
    
    - name: Erstelle QR-Code
      shell: qrencode -t ansiutf8 < /etc/wireguard/clients/{{ client_name }}.conf
      register: qr_code
      ignore_errors: true
    
    - name: Zeige QR-Code
      debug:
        msg: |
          📱 QR-Code für {{ client_name }}:
          {{ qr_code.stdout }}
      when: qr_code.rc == 0