---
- name: Cleanup expired VPN configuration
  hosts: vpn_servers
  become: yes
  vars:
    client_dir: /etc/wireguard/clients
    test_client_dir: /etc/wireguard/test_clients
    wg_interface: wg0
    is_test: false  # Default to production mode
    
  tasks:
    - name: Debug cleanup information
      debug:
        msg: 
          - "Cleaning up subscription ID: {{ subscription_id }}"
          - "Test mode: {{ is_test }}"

    # Set working directory based on mode
    - name: Set working directory based on mode
      set_fact:
        working_client_dir: "{{ test_client_dir if is_test else client_dir }}"

    - name: Remove client configuration directory
      file:
        path: "{{ working_client_dir }}/{{ subscription_id }}"
        state: absent
        
    - name: Remove client from server config
      blockinfile:
        path: "/etc/wireguard/{{ wg_interface }}.conf"
        marker: "# {mark} ANSIBLE MANAGED BLOCK FOR {{ subscription_id }}"
        state: absent
      notify: restart wireguard

    # Remove cleanup cron job if it exists (for test configs)
    - name: Remove cleanup cronjob
      when: is_test
      cron:
        name: "cleanup_test_vpn_{{ subscription_id }}"
        state: absent
        
    - name: Log cleanup
      shell: |
        logger -t vpn-cleanup "Cleaned up VPN configuration for {{ subscription_id }} ({{ 'test' if is_test else 'production' }})"
        
  handlers:
    - name: restart wireguard
      service:
        name: "wg-quick@{{ wg_interface }}"
        state: restarted