- name: Install WireGuard
  ansible.builtin.apt:
    name: wireguard
    state: present
    update_cache: true

- name: Generate WireGuard keys
  ansible.builtin.shell: |
    set -o pipefail
    wg genkey | tee privatekey | wg pubkey > publickey
  args:
    chdir: /etc/wireguard/
    creates: /etc/wireguard/privatekey
    executable: /usr/bin/bash

- name: Grab WireGuard private key for configuration
  ansible.builtin.slurp:
    src: /etc/wireguard/privatekey
  register: wgkey

- name: Install WireGuard configuration
  ansible.builtin.template:
    src: wireguard.j2
    dest: /etc/wireguard/wg0.conf
    mode: 0400
  notify: restart_wireguard

- name: Start WireGuard interface
  ansible.builtin.service:
    name: wg-quick@wg0
    state: started
    enabled: true

- name: Add WireGuard firewall rule
  community.general.ufw:
    rule: allow
    port: "{{ wireguard.listenport }}"
    proto: udp
  when: wireguard.listenport is defined