- name: install dependencies
  ansible.builtin.apt:
    pkg:
    - python3-pyroute2
    - python3-nftables
    - python3-flask
    - gunicorn

- name: copy nftables config
  ansible.builtin.template:
    src: captive-portal-rules.nft.j2
    dest: /etc/nftables.d/captive-portal-rules.nft
  notify: reload nftables

- name: create captive-portal group
  ansible.builtin.group:
    name: captive-portal
    system: true

- name: create directory /usr/local/lib/captive-portal
  ansible.builtin.file:
    path: /usr/local/lib/captive-portal
    state: directory

- name: create captive-portal user
  ansible.builtin.user:
    name: captive-portal
    group: captive-portal
    home: /usr/local/lib/captive-portal
    create_home: false
    system: true

- name: copy captive-portal config
  ansible.builtin.template:
    src: captive-portal.conf.j2
    dest: /etc/captive-portal.conf
    group: captive-portal
    mode: '0640'
  notify: restart captive-portal

- name: copy captive-portal script
  ansible.builtin.copy:
    src: captive-portal.py
    dest: /usr/local/lib/captive-portal/captive_portal.py
  notify: restart captive-portal

- name: copy captive-portal service
  ansible.builtin.copy:
    src: captive-portal.service
    dest: /etc/systemd/system/captive-portal.service
  notify: restart captive-portal

- name: add cronjob to persist captive-portal allowed_macs set
  ansible.builtin.cron:
    name: persist captive-portal allowed_macs set
    # captive-portal-sets.nft is loaded after captive-portal-rules.nft so it can overwrite the set
    job: '/sbin/nft list set inet captive_portal allowed_macs > /etc/nftables.d/.captive-portal-sets.nft.tmp && mv /etc/nftables.d/.captive-portal-sets.nft.tmp /etc/nftables.d/captive-portal-sets.nft'