infrastructure/ansible/roles/gateway/tasks/wireguard.yml

- name: Add unstable apt repo
  lineinfile:
    path: /etc/apt/sources.list.d/unstable.list
    state: present
    line: 'deb http://deb.debian.org/debian/ unstable main'
  register: install_unstable_apt
  become: true
  become_user: root

- name: Limit unstable apt repo
  copy:
    src: limit-unstable.conf
    dest: /etc/apt/preferences.d/limit-unstable
  become: true
  become_user: root
  register: limit_unstable_apt

- name: Update apt repos
  apt:
    update_cache: true
  become: true
  become_user: root
  when: install_unstable_apt.changed or limit_unstable_apt.changed

- name: Install Wireguard
  apt:
    name:
      - wireguard
      - wireguard-tools
  become: true
  become_user: root

- name: Wireguard server config
  template:
    src: files/wireguard-server.conf
    dest: /etc/wireguard/wg0.conf
    backup: yes
  become: true
  become_user: root
  register: wireguard_conf

- name: Enable wireguard
  service:
    name: wg-quick@wg0
    state: reloaded
    enabled: true
  when: wireguard_conf.changed
  become: true
  become_user: root

- name: Create wireguard client directory
  file:
    path: "{{ home }}/wireguard-clients"
    state: directory
    owner: "{{ user }}"
    mode: 0700

- name: Wireguard client configuration
  template:
    src: files/wireguard-client.conf
    dest: "{{ home }}/wireguard-clients/{{ item.key }}.conf"
    owner: "{{ user }}"
    mode: 0600
  loop: "{{ wireguard.clients|dict2items }}"
  loop_control:
    label: "{{ item.key }}"