arch-setup/tasks/wireguard.yml

---
- name: Include wireguard defaults
  ansible.builtin.include_vars:
    file: vars/wireguard.yml

- name: Create Wireguard directories
  become: true
  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: systemd-network
    mode: "0750"
    state: directory
    recurse: true
  loop:
    - "{{ vpn_config_dir }}"
    - "{{ wireguard_defaults.private_key_path | dirname }}"
    - "{{ wireguard_defaults.public_key_path | dirname }}"
  notify:
    - restart systemd-networkd
    - restart systemd-resolved

- name: Copy Wireguard credentials
  become: true
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: systemd-network
    mode: "0640"
  loop:
    - dest: "{{ wireguard_defaults.public_key_path }}"
      src: "files/wireguard/{ ansible_hostname }}/fudiggity.pub"

    - dest: "{{ wireguard_defaults.private_key_path }}"
      src: "files/wireguard/{{ ansible_hostname }}/fudiggity.key"
  notify:
    - restart systemd-networkd
    - restart systemd-resolved

- name: Copy Wireguard preshared keys
  become: true
  ansible.builtin.copy:
    src: "{{ item.preshared_key_source_path }}"
    dest: "{{ item.preshared_key_path }}"
    owner: root
    group: systemd-network
    mode: "0640"
  loop: "{{ wireguard_defaults.peers }}"
  notify:
    - restart systemd-networkd
    - restart systemd-resolved

- name: Setup network configuration
  become: true
  ansible.builtin.template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: systemd-network
    mode: "0640"
  loop:
    - src: "templates/{{ ansible_hostname }}/network/wg0.network.j2"
      dest: "/etc/systemd/network/40-wg0.network"

    - src: "templates/{{ ansible_hostname }}/network/wg0.netdev.j2"
      dest: "/etc/systemd/network/40-wg0.netdev"
  notify:
    - restart systemd-networkd
    - restart systemd-resolved
  vars:
    wireguard: "{{ wireguard | ansible.builtin.combine(wireguard_defaults) }}"