---
-
    name: Ensure /etc/wireguard exists
    file:
        path: /etc/wireguard
        state: directory
        mode: "0700"

-
    name: Check for existing WireGuard private key
    stat:
        path: /etc/wireguard/private.key
    register: wg_key_stat

-
    name: Generate WireGuard private key
    command: wg genkey
    register: wg_genkey
    when: not wg_key_stat.stat.exists

-
    name: Save WireGuard private key
    copy:
        content: "{{ wg_genkey.stdout }}\n"
        dest: /etc/wireguard/private.key
        mode: "0600"
    when: not wg_key_stat.stat.exists

-
    name: Derive WireGuard public key
    shell: wg pubkey < /etc/wireguard/private.key
    register: wg_pubkey_result
    changed_when: false

-
    name: Save WireGuard public key
    copy:
        content: "{{ wg_pubkey_result.stdout }}\n"
        dest: /etc/wireguard/public.key
        mode: "0644"

-
    name: Set WireGuard key facts
    set_fact:
        wg_public_key: "{{ wg_pubkey_result.stdout | trim }}"