role_wireguard/tasks/keys.yml

---
# tasks file for wireguard

- name: Create and store keys in OpenBao
  block:
    - name: Get keys from OpenBao
      community.hashi_vault.vault_kv2_get:
        engine_mount_point: "{{ wireguard_openbao_mount }}"
        path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
      when: wireguard_openbao_mount | length > 0
      delegate_to: 127.0.0.1
  rescue:
    - name: Generate peers privatekey # noqa: no-changed-when
      ansible.builtin.command:
        argv:
          - wg
          - genkey
      register: peer_privatekey

    - name: Generate peers publickey # noqa: no-changed-when
      ansible.builtin.command:
        argv:
          - wg
          - pubkey
        stdin: "{{ peer_privatekey.stdout }}"
      register: peer_publickey

    - name: Write keys to OpenBao
      community.hashi_vault.vault_kv2_write:
        engine_mount_point: "{{ wireguard_openbao_mount }}"
        path: "{{ inventory_hostname }}/{{ ansible_role_name }}/{{ peer }}"
        data:
          privatekey: "{{ peer_privatekey.stdout }}"
          publickey: "{{ peer_publickey.stdout }}"
        read_before_write: true
      when:
        - wireguard_openbao_mount | length > 0
        - peer_privatekey.stdout | default('') | length > 0
        - peer_publickey.stdout | default('') | length > 0
      delegate_to: 127.0.0.1