- name: Schleife über alle WireGuard-Clients
  include_tasks: generate_client_single.yml
  loop: "{{ wireguard_clients }}"
  loop_control:
    loop_var: client

- name: Generiere privaten Schlüssel für jeden Client
  shell: "wg genkey"
  register: wg_client_private_keys
  loop: "{{ wireguard_clients }}"
  loop_control:
    label: "{{ item.name }}"
  # kein delegate_to mehr!
  run_once: true  # ggf. auch entfernen, siehe Anmerkung unten

- name: Setze globale Client-Key-Facts für alle Clients
  set_fact:
    wg_all_clients_private_keys: >-
      {{
        wg_all_clients_private_keys | default({}) | combine({
          item.1.name: item.0.stdout
        })
      }}
  loop: "{{ wg_client_private_keys.results | zip(wireguard_clients) | list }}"
  delegate_to: localhost
  run_once: true


- name: Generiere Private Keys für Clients
  command: "wg genkey"
  register: client_keys_raw
  loop: "{{ wireguard_clients }}"
  loop_control:
    loop_var: client
  changed_when: false

- name: Mappe Keys nach Namen
  set_fact:
    wg_all_clients_private_keys: "{{ dict(wireguard_clients | map(attribute='name') | list | zip(client_keys_raw.results | map(attribute='stdout') | list)) }}"