---
- name: Setup Swap, WireGuard, and VNC on CentOS
  hosts: almalinux
  become: true
  tasks:
    - name: Create a swap file
      ansible.builtin.command: fallocate -l 4G /swapfile
      args:
        creates: /swapfile

    - name: Set permissions on the swap file
      ansible.builtin.file:
        path: /swapfile
        mode: "0600"

    - name: Set up swap space
      ansible.builtin.command: mkswap /swapfile
      args:
        creates: /swapfile

    - name: Enable swap file
      ansible.posix.mount:
        name: none
        src: /swapfile
        fstype: swap
        state: present

    - name: Add swap file to fstab
      ansible.builtin.lineinfile:
        path: /etc/fstab
        line: /swapfile none swap defaults 0 0
        state: present

    - name: Update package cache
      ansible.builtin.dnf:
        update_cache: true

    - name: Upgrade all packages
      ansible.builtin.dnf:
        name: "*"
        state: latest

    - name: Install WireGuard
      ansible.builtin.dnf:
        name:
          - wireguard-tools
        state: present

    - name: Load WireGuard module
      community.general.modprobe:
        name: wireguard
        state: present

    - name: Enable IP forwarding
      ansible.posix.sysctl:
        name: net.ipv4.ip_forward
        value: 1
        state: present
        reload: true

    - name: Create WireGuard keys
      ansible.builtin.command: >
        sh -c 'wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey'
      args:
        creates: /etc/wireguard/privatekey

    - name: Install EPEL release
      ansible.builtin.dnf:
        name: epel-release
        state: present

    - name: Install XFCE desktop environment
      ansible.builtin.dnf:
        name: "@XFCE"
        state: present

    - name: Install TigerVNC server
      ansible.builtin.dnf:
        name: tigervnc-server
        state: present

    - name: Create vnc configuration directory
      become: false
      ansible.builtin.file:
        path: ~/.vnc/
        state: directory
        recurse: true

    - name: Create VNC startup file
      become: false
      ansible.builtin.copy:
        dest: ~/.vnc/xstartup
        content: |
          #!/bin/sh
          unset SESSION_MANAGER
          unset DBUS_SESSION_BUS_ADDRESS
          exec /etc/X11/xinit/xinitrc
        mode: "0755"

    - name: Enable TigerVNC service
      ansible.builtin.systemd:
        name: vncserver@:1.service
        enabled: true
        state: started

    - name: Open WireGuard port (51820) in firewall
      ansible.posix.firewalld:
        service: wireguard
        permanent: true
        state: enabled
        zone: public

    - name: Open VNC port (5901) in firewall
      ansible.posix.firewalld:
        port: 5901/tcp
        permanent: true
        state: enabled
        zone: public

    - name: Reload firewalld to apply changes
      ansible.builtin.service:
        name: firewalld
        state: restarted

    - name: Reboot the system
      ansible.builtin.reboot:
        msg: Rebooting to apply changes