feat(edge_vps): add WireGuard setup task and template

roles/edge_vps/tasks/20_wireguard.yaml

@@ -0,0 +1,19 @@
+---
+- name: Install WireGuard
+  ansible.builtin.apt:
+    name: wireguard
+    state: present
+    update_cache: true
+
+- name: Deploy WireGuard config
+  ansible.builtin.template:
+    src: wireguard/wg0.conf.j2
+    dest: "{{ edge_vps_wireguard_config_dir }}/{{ edge_vps_wireguard_interface }}.conf"
+    mode: "0600"
+  notify: restart wireguard
+
+- name: Enable WireGuard
+  ansible.builtin.systemd:
+    name: "wg-quick@{{ edge_vps_wireguard_interface }}"
+    enabled: true
+    state: started

roles/edge_vps/templates/wireguard/wg0.conf.j2

@@ -0,0 +1,25 @@
+[Interface]
+Address = {{ edge_vps_wireguard_address }}
+ListenPort = {{ edge_vps_wireguard_port }}
+PrivateKey = {{ vault_edge_vps.wireguard.private_key }}
+
+PostUp   = sysctl -w net.ipv4.ip_forward=1
+PostUp   = iptables -A FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
+PostUp   = iptables -A FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
+{% for route in edge_vps_wireguard_routes | default([]) %}
+PostUp   = ip route add {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
+{% endfor %}
+PostDown = iptables -D FORWARD -i {{ edge_vps_wireguard_interface }} -j ACCEPT
+PostDown = iptables -D FORWARD -o {{ edge_vps_wireguard_interface }} -j ACCEPT
+{% for route in edge_vps_wireguard_routes | default([]) %}
+PostDown = ip route del {{ route }} via {{ route.gateway }} dev {{ edge_vps_wireguard_interface }}
+{% endfor %}
+
+{% for peer in vault_edge_vps.wireguard.peers %}
+[Peer]
+# {{ peer.name }}
+PublicKey = {{ peer.public_key }}
+PresharedKey = {{ peer.preshared_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+
+{% endfor %}