algo/roles/wireguard/tasks/keys.yml

---
- name: Delete the lock files
  file:
    dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock"
    state: absent
  when: keys_clean_all|bool == True
  with_items:
    - "{{ users }}"
    - "{{ IP_subject_alt_name }}"

- name: Generate private keys
  command: wg genkey
  register: wg_genkey
  args:
    creates: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock"
  with_items:
    - "{{ users }}"
    - "{{ IP_subject_alt_name }}"

- block:
  - name: Save private keys
    copy:
      dest: "{{ wireguard_config_path }}/private/{{ item['item'] }}"
      content: "{{ item['stdout'] }}"
      mode: "0600"
    no_log: true
    when: item.changed
    with_items: "{{ wg_genkey['results'] }}"
    delegate_to: localhost
    become: false

  - name: Touch the lock file
    file:
      dest: "{{ config_prefix|default('/') }}etc/wireguard/private_{{ item }}.lock"
      state: touch
    with_items:
      - "{{ users }}"
      - "{{ IP_subject_alt_name }}"
  when: wg_genkey.changed

- name: Generate public keys
  shell: echo "{{ lookup('file', wireguard_config_path + '/private/' + item) }}" | wg pubkey
  register: wg_pubkey
  changed_when: false
  args:
    executable: bash
  with_items:
    - "{{ users }}"
    - "{{ IP_subject_alt_name }}"

- name: Save public keys
  copy:
    dest: "{{ wireguard_config_path }}/public/{{ item['item'] }}"
    content: "{{ item['stdout'] }}"
    mode: "0600"
  no_log: true
  with_items: "{{ wg_pubkey['results'] }}"
  delegate_to: localhost
  become: false