--- - name: Ensure dependencies are installed ansible.builtin.package: name: "{{ item }}" state: present loop: - wireguard-tools - name: Stat WireGuard config file ansible.builtin.stat: path: "/etc/wireguard/{{ wireguard_interface }}.conf" register: __wireguard_config_file - name: Generate WireGuard private key when: - not __wireguard_config_file.stat.exists - wireguard_private_key is not defined block: - name: Generate WireGuard private key ansible.builtin.command: "wg genkey" register: __wireguard_private_key_gen changed_when: False - name: Set generated private key ansible.builtin.set_fact: wireguard_private_key: "{{ __wireguard_private_key_gen.stdout }}" - name: Load existing WireGuard private key when: - __wireguard_config_file.stat.exists - wireguard_private_key is not defined block: - name: Read WireGuard config file ansible.builtin.slurp: src: "/etc/wireguard/{{ wireguard_interface }}.conf" register: __wireguard_config - name: Set existing private key ansible.builtin.set_fact: wireguard_private_key: "{{ __wireguard_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" - name: Derive WireGuard public key ansible.builtin.command: "wg pubkey" args: stdin: "{{ wireguard_private_key }}" register: __wireguard_public_key_gen changed_when: False - name: Set public key fact ansible.builtin.set_fact: __wireguard_public_key: "{{ __wireguard_public_key_gen.stdout }}" - name: Generate WireGuard configuration file ansible.builtin.template: src: etc/wireguard/wg.conf.j2 dest: "/etc/wireguard/{{ wireguard_interface }}.conf" owner: root group: root mode: "0600" notify: __wireguard_restart - name: Ensure legacy reload-module-on-update is absent ansible.builtin.file: dest: "/etc/wireguard/.reload-module-on-update" state: absent - name: Ensure WireGuard service is up and running ansible.builtin.service: name: "wg-quick@{{ wireguard_interface }}" daemon_reload: True enabled: True state: started