feat: full untested ansible setup

roles/wireguard/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart WireGuard
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface.name }}"
+    state: restarted

roles/wireguard/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: Install WireGuard packages
+  ansible.builtin.apt:
+    name:
+      - wireguard
+      - wireguard-tools
+    state: present
+    update_cache: true
+
+- name: Ensure WireGuard configuration directory exists
+  ansible.builtin.file:
+    path: /etc/wireguard
+    state: directory
+    owner: root
+    group: root
+    mode: "0700"
+
+- name: Render WireGuard interface configuration
+  ansible.builtin.template:
+    src: wg0.conf.j2
+    dest: "/etc/wireguard/{{ wireguard_interface.name }}.conf"
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Restart WireGuard
+
+- name: Enable WireGuard interface
+  ansible.builtin.service:
+    name: "wg-quick@{{ wireguard_interface.name }}"
+    state: started
+    enabled: true

roles/wireguard/templates/wg0.conf.j2

@@ -0,0 +1,21 @@
+[Interface]
+Address = {{ wireguard_interface.address | join(', ') }}
+ListenPort = {{ wireguard_interface.listen_port }}
+PrivateKey = {{ wireguard_interface.private_key }}
+
+{% for peer in wireguard_interface.peers %}
+# {{ peer.name }}
+[Peer]
+PublicKey = {{ peer.public_key }}
+{% if peer.preshared_key is defined and peer.preshared_key | length > 0 %}
+PresharedKey = {{ peer.preshared_key }}
+{% endif %}
+AllowedIPs = {{ peer.allowed_ips | join(', ') }}
+{% if peer.endpoint is defined %}
+Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive is defined %}
+PersistentKeepalive = {{ peer.persistent_keepalive }}
+{% endif %}
+
+{% endfor %}