kedge/ansible/roles/wireguard-bootstrap/tasks/main.yml

---
- name: Ensure WireGuard is installed
  ansible.builtin.package:
    name: wireguard-tools
    state: present

- name: Create /etc/wireguard directory
  ansible.builtin.file:
    path: /etc/wireguard
    state: directory
    mode: "0700"

- name: Generate WireGuard private key
  ansible.builtin.command:
    cmd: wg genkey
    creates: /etc/wireguard/private.key
  register: wg_privkey

- name: Write private key
  ansible.builtin.copy:
    content: "{{ wg_privkey.stdout }}"
    dest: /etc/wireguard/private.key
    mode: "0600"
  when: wg_privkey.changed

- name: Derive public key
  ansible.builtin.shell:
    cmd: cat /etc/wireguard/private.key | wg pubkey
  register: wg_pubkey
  changed_when: false

- name: Template WireGuard config
  ansible.builtin.template:
    src: wg0.conf.j2
    dest: /etc/wireguard/wg0.conf
    mode: "0600"
  notify: restart wireguard

- name: Enable and start WireGuard
  ansible.builtin.service:
    name: "wg-quick@wg0"
    enabled: true
    state: started