xoxys.wireguard/tasks/main.yml

---
- block:
    - name: Ensure dependencies are installed
      package:
        name: "{{ item }}"
        state: present
      loop:
        - wireguard-tools

    - name: Stat WireGuard config file
      stat:
        path: "/etc/wireguard/{{ wireguard_interface }}.conf"
      register: __wireguard_config_file
  become: True
  become_user: root

- block:
    - name: Generate WireGuard private key
      command: "wg genkey"
      register: __wireguard_private_key_gen
      changed_when: False

    - name: Set generated private key
      set_fact:
        wireguard_private_key: "{{ __wireguard_private_key_gen.stdout }}"
  when:
    - not __wireguard_config_file.stat.exists
    - wireguard_private_key is not defined
  become: True
  become_user: root

- block:
    - name: Read WireGuard config file
      slurp:
        src: "/etc/wireguard/{{ wireguard_interface }}.conf"
      register: __wireguard_config

    - name: Set existing private key
      set_fact:
        wireguard_private_key: "{{ __wireguard_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}"
  when:
    - __wireguard_config_file.stat.exists
    - wireguard_private_key is not defined
  become: True
  become_user: root

- block:
    - name: Derive WireGuard public key
      command: "wg pubkey"
      args:
        stdin: "{{ wireguard_private_key }}"
      register: __wireguard_public_key_gen
      changed_when: False

    - name: Set public key fact
      set_fact:
        __wireguard_public_key: "{{ __wireguard_public_key_gen.stdout }}"

    - name: Generate WireGuard configuration file
      template:
        src: etc/wireguard/wg.conf.j2
        dest: "/etc/wireguard/{{ wireguard_interface }}.conf"
        owner: root
        group: root
        mode: 0600
      notify: __wireguard_restart

    - name: Ensure legacy reload-module-on-update is absent
      file:
        dest: "/etc/wireguard/.reload-module-on-update"
        state: absent

    - name: Ensure WireGuard service is up and running
      service:
        name: "wg-quick@{{ wireguard_interface }}"
        daemon_reload: True
        enabled: True
        state: started
  become: True
  become_user: root