---
# ============================================================================
# Sophos Remote Access VPN Role - Main Tasks
# ============================================================================

- name: Display remote access VPN configuration overview
  ansible.builtin.debug:
    msg:
      - "======================================"
      - "Configuring Remote Access VPN"
      - "======================================"
      - "Firewall: {{ inventory_hostname }}"
      - "Type: {{ sophos_remote_access_vpn.type | default('Not configured') }}"
  tags: ['always']
  when: sophos_remote_access_vpn is defined

- name: Skip remote access VPN configuration (not defined)
  ansible.builtin.debug:
    msg: "No remote access VPN configuration defined for {{ inventory_hostname }}"
  when: sophos_remote_access_vpn is not defined
  tags: ['always']

- name: Configure remote access VPN
  ansible.builtin.uri:
    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController"
    method: POST
    validate_certs: "{{ sophos_validate_certs }}"
    headers:
      Content-Type: "application/x-www-form-urlencoded"
    body: "reqxml={{ lookup('template', 'remote_access_vpn.json.j2') | urlencode }}"
    status_code: [200, 201]
    timeout: "{{ sophos_api_timeout }}"
  register: remote_vpn_result
  no_log: "{{ sophos_no_log_sensitive }}"
  when: sophos_remote_access_vpn is defined
  changed_when: "'successful' in remote_vpn_result.content | lower"
  tags: ['vpn', 'remote-access']

- name: Remote access VPN configuration completed
  ansible.builtin.debug:
    msg: "Remote access VPN configured successfully"
  when: sophos_remote_access_vpn is defined
  tags: ['always']