- name: Key-Verzeichnis für Client anlegen
  file:
    path: "{{ role_path }}/client-keys/{{ client.name }}"
    state: directory
    mode: "0700"
  become: true

- name: Existenz des privaten Schlüssels prüfen
  stat:
    path: "{{ role_path }}/client-keys/{{ client.name }}/private.key"
  register: client_private_key_stat

- name: Privaten Schlüssel generieren (nur falls nicht vorhanden)
  command: wg genkey
  register: genpriv
  args:
    chdir: "{{ role_path }}/client-keys/{{ client.name }}"
  when: not client_private_key_stat.stat.exists

- name: Privaten Schlüssel speichern (nur falls nicht vorhanden)
  copy:
    content: "{{ genpriv.stdout }}"
    dest: "{{ role_path }}/client-keys/{{ client.name }}/private.key"
    mode: "0600"
  when: not client_private_key_stat.stat.exists

- name: Public Key aus privaten Schlüssel generieren (bei Neuerstellung)
  command: wg pubkey
  args:
    stdin: "{{ genpriv.stdout }}"
    chdir: "{{ role_path }}/client-keys/{{ client.name }}"
  register: genpub
  when: not client_private_key_stat.stat.exists

- name: Bestehenden privaten Schlüssel laden (falls vorhanden)
  slurp:
    src: "{{ role_path }}/client-keys/{{ client.name }}/private.key"
  register: loaded_private
  when: client_private_key_stat.stat.exists

- name: Public Key aus gespeichertem Private Key erzeugen (falls vorhanden)
  command: wg pubkey
  args:
    stdin: "{{ loaded_private.content | b64decode }}"
    chdir: "{{ role_path }}/client-keys/{{ client.name }}"
  register: genpub_existing
  when: client_private_key_stat.stat.exists

- name: Public Key für Client in Datei schreiben
  copy:
    content: >
      {{ (genpub.stdout if not client_private_key_stat.stat.exists else genpub_existing.stdout) }}
    dest: "{{ role_path }}/client-keys/{{ client.name }}/public.key"
    mode: "0644"

- name: Variablen für Client setzen (private/public key, Adresse)
  set_fact:
    "wg_{{ client.name }}_private_key": "{{ (genpriv.stdout if not client_private_key_stat.stat.exists else loaded_private.content | b64decode) }}"
    "wg_{{ client.name }}_public_key": "{{ (genpub.stdout if not client_private_key_stat.stat.exists else genpub_existing.stdout) }}"
    "wg_{{ client.name }}_address": "{{ client.address }}"