michaelschiemer/.deployment-backup/ansible/wireguard-server/roles/wireguard/tasks/configure.yml

---
# WireGuard Server konfigurieren
- name: Erstelle WireGuard-Verzeichnis
  file:
    path: /etc/wireguard
    state: directory
    mode: '0700'
    owner: root
    group: root

- name: Erstelle Client-Config-Verzeichnis
  file:
    path: /etc/wireguard/clients
    state: directory
    mode: '0700'
    owner: root
    group: root

# Server-Schlüssel verwalten
- name: Prüfe ob Server-Schlüssel existieren
  stat:
    path: /etc/wireguard/server-private.key
  register: server_private_key_stat

- name: Generiere Server-Schlüssel
  shell: |
    wg genkey | tee /etc/wireguard/server-private.key | wg pubkey > /etc/wireguard/server-public.key
    chmod 600 /etc/wireguard/server-private.key /etc/wireguard/server-public.key
  when: not server_private_key_stat.stat.exists

- name: Lese Server-Schlüssel
  slurp:
    src: /etc/wireguard/server-private.key
  register: server_private_key_content

- name: Lese Server-Public-Key
  slurp:
    src: /etc/wireguard/server-public.key
  register: server_public_key_content

- name: Setze Server-Schlüssel als Facts
  set_fact:
    wg_server_private_key: "{{ server_private_key_content.content | b64decode | trim }}"
    wg_server_public_key: "{{ server_public_key_content.content | b64decode | trim }}"

# Client-Schlüssel generieren
- name: Generiere Client-Schlüssel
  shell: |
    cd /etc/wireguard/clients
    if [ ! -f "{{ item.name }}-private.key" ]; then
      wg genkey | tee "{{ item.name }}-private.key" | wg pubkey > "{{ item.name }}-public.key"
      chmod 600 "{{ item.name }}-private.key" "{{ item.name }}-public.key"
    fi
  loop: "{{ wireguard_clients }}"

# Generiere Pre-shared Keys
- name: Generiere Pre-shared Keys für Clients
  shell: |
    cd /etc/wireguard/clients
    if [ ! -f "{{ item.name }}-psk.key" ]; then
      wg genpsk > "{{ item.name }}-psk.key"
      chmod 600 "{{ item.name }}-psk.key"
    fi
  loop: "{{ wireguard_clients }}"
  when: wireguard_pre_shared_key | default(false)

# Lade alle Client-Keys
- name: Lese Client-Private-Keys
  slurp:
    src: /etc/wireguard/clients/{{ item.name }}-private.key
  loop: "{{ wireguard_clients }}"
  register: client_private_keys

- name: Lese Client-Public-Keys
  slurp:
    src: /etc/wireguard/clients/{{ item.name }}-public.key
  loop: "{{ wireguard_clients }}"
  register: client_public_keys

- name: Lese Pre-shared Keys
  slurp:
    src: /etc/wireguard/clients/{{ item.name }}-psk.key
  loop: "{{ wireguard_clients }}"
  register: client_psk_keys
  when: wireguard_pre_shared_key | default(false)

# Erstelle Key-Dictionaries
- name: Erstelle Client-Key-Dictionary
  set_fact:
    wg_client_private_keys: "{{ dict(wireguard_clients | map(attribute='name') | list | zip(client_private_keys.results | map(attribute='content') | map('b64decode') | map('trim') | list)) }}"
    wg_client_public_keys: "{{ dict(wireguard_clients | map(attribute='name') | list | zip(client_public_keys.results | map(attribute='content') | map('b64decode') | map('trim') | list)) }}"

- name: Erstelle Pre-shared Key Dictionary
  set_fact:
    wg_client_psk_keys: "{{ dict(wireguard_clients | map(attribute='name') | list | zip(client_psk_keys.results | map(attribute='content') | map('b64decode') | map('trim') | list)) }}"
  when: 
    - wireguard_pre_shared_key | default(false)
    - client_psk_keys is defined

# Server-Konfiguration erstellen
- name: Erstelle WireGuard-Server-Konfiguration
  template:
    src: wg0.conf.j2
    dest: /etc/wireguard/wg0.conf
    mode: '0600'
    owner: root
    group: root
  notify: restart wireguard

# Client-Konfigurationen erstellen
- name: Erstelle Client-Konfigurationen
  template:
    src: client.conf.j2
    dest: /etc/wireguard/clients/{{ item.name }}.conf
    mode: '0600'
    owner: root
    group: root
  loop: "{{ wireguard_clients }}"

# WireGuard-Service konfigurieren
- name: Aktiviere WireGuard-Service
  systemd:
    name: wg-quick@wg0
    enabled: true
    state: started
    daemon_reload: true