---
- name: Install required packages
  become: true
  apt:
    pkg:
      - ifupdown2
      - wireguard
    state: latest
    update_cache: yes

- name: Tweak sysctl to enable IP forwarding
  become: true
  template:
    src: sysctl.conf.j2
    dest: /etc/sysctl.d/forwarding.conf
    owner: root
    group: root
    mode: u=rw,g=r,o=
  notify:
    - Reload sysctl

- name: Create tunnels configurations
  become: true
  template:
    src: wireguard.conf.j2
    dest: "/etc/wireguard/{{ item.name }}.conf"
    owner: root
    group: root
    mode: u=rw,g=,o=
  loop: "{{ wireguard_endpoints }}"
  # try to hide clear-text private keys from Ansible output
  no_log: True
  diff: no
  notify:
    - Reload network interfaces

- name: Create network interfaces
  become: true
  template:
    src: interface.j2
    dest: "/etc/network/interfaces.d/{{ item.name }}"
    owner: root
    group: root
    mode: u=rw,g=r,o=
  loop: "{{ wireguard_endpoints }}"
  no_log: True
  diff: no
  notify:
    - Reload network interfaces
...