---
- name: Install required packages
  apt:
    pkg:
      - ifupdown2
      - wireguard
      - nftables
    state: latest
    update_cache: yes

- name: Tweak sysctl to enable IP forwarding
  template:
    src: sysctl.conf.j2
    dest: /etc/sysctl.d/forwarding.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=

- name: Create tunnels configurations
  template:
    src: wireguard.conf.j2
    dest: "/etc/wireguard/{{ item.name }}.conf"
    owner: root
    group: root
    mode: u=rw,g=,o=
  loop: "{{ wireguard_endpoints }}"
  # try to hide clear-text private keys from Ansible output
  no_log: True
  diff: no

- name: Create network interfaces
  template:
    src: interface.j2
    dest: "/etc/network/interfaces.d/{{ item.name }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop: "{{ wireguard_endpoints }}"
  no_log: True
  diff: no
  notify:
    - Reload network interfaces

- name: Enable nftables
  systemd:
    name: nftables.service
    state: started
    enabled: yes

- name: Configure nftables
  template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    validate: /sbin/nft -c -f %s
    owner: root
    group: root
    mode: u=rw,g=r,o=
  notify:
    - Reload nftables
...