homelab/roles/base/tasks/wireguard.yml

- name: Install WireGuard
  ansible.builtin.apt:
    name: wireguard
    state: present
    update_cache: true

- name: Generate WireGuard keys
  ansible.builtin.shell: |
    set -o pipefail
    wg genkey | tee privatekey | wg pubkey > publickey    
  args:
    chdir: /etc/wireguard/
    creates: /etc/wireguard/privatekey
    executable: /usr/bin/bash

- name: Grab WireGuard private key for configuration
  ansible.builtin.slurp:
    src: /etc/wireguard/privatekey
  register: wgkey

- name: Check if WireGuard preshared key file exists
  ansible.builtin.stat:
    path: /etc/wireguard/presharedkey-{{ item.name }}
  loop: "{{ wireguard.peers }}"
  loop_control:
    label: "{{ item.name }}"
  register: presharedkey_files

- name: Grab WireGuard preshared key for configuration
  ansible.builtin.slurp:
    src: /etc/wireguard/presharedkey-{{ item.item.name }}
  register: wgshared
  loop: "{{ presharedkey_files.results }}"
  loop_control:
    label: "{{ item.item.name }}"
  when: item.stat.exists

- name: Grab WireGuard private key for configuration
  ansible.builtin.slurp:
    src: /etc/wireguard/privatekey
  register: wgkey

- name: Install WireGuard configuration
  ansible.builtin.template:
    src: wireguard.j2
    dest: /etc/wireguard/wg0.conf
    mode: "400"
  notify: restart_wireguard

- name: Start WireGuard interface
  ansible.builtin.service:
    name: wg-quick@wg0
    state: started
    enabled: true

- name: Add WireGuard firewall rule
  community.general.ufw:
    rule: allow
    port: "{{ wireguard.listenport }}"
    proto: udp
  when: wireguard.listenport is defined