diff --git a/ansible/files/wireguard/server_private_key b/ansible/files/wireguard/server_private_key
new file mode 100644
index 0000000..3f97248
--- /dev/null
+++ b/ansible/files/wireguard/server_private_key
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+39653235613163636362653036663563383839313836643563323462616163353364323862313039
+6564656661323039393563636133303132626663366233390a343535383963353763383364376438
+36306435396461393132653161393238623562393465356166343764336661376434333335643863
+3865373732363761620a613236613963396638613831326332386530326239373062333933646239
+39313336383366636133646336653236303261346238306336663564373063383634313361356335
+6334353863363931643338663833333065343435333231623466
diff --git a/ansible/files/wireguard/server_public_key b/ansible/files/wireguard/server_public_key
new file mode 100644
index 0000000..7abf2fa
--- /dev/null
+++ b/ansible/files/wireguard/server_public_key
@@ -0,0 +1 @@
+GH+qA1Au9BraGhNt7Aqp8tdhGVfH8ENnY3VzKhe69XQ=
diff --git a/ansible/playbooks/wireguard.yml b/ansible/playbooks/wireguard.yml
index 5e1f74b..9d0c0ab 100644
--- a/ansible/playbooks/wireguard.yml
+++ b/ansible/playbooks/wireguard.yml
@@ -10,11 +10,10 @@
           - wireguard-tools
           - bind
 
-    - name: Create private key
-      ansible.builtin.shell:
-        chdir: /etc/wireguard/
-        creates: /etc/wireguard/server_public_key
-        cmd: "wg genkey | tee server_private_key | wg pubkey > server_public_key"
+    - name: Copy keys to server
+      ansible.builtin.copy:
+        src: wireguard/
+        dest: /etc/wireguard/server_public_key
 
     - name: Remember the public key
       ansible.builtin.command: cat /etc/wireguard/server_public_key
diff --git a/ansible/templates/wireguard/wg0.conf b/ansible/templates/wireguard/wg0.conf
new file mode 100644
index 0000000..0177899
--- /dev/null
+++ b/ansible/templates/wireguard/wg0.conf
@@ -0,0 +1,14 @@
+
+[Interface]
+Address = 10.0.0.1/24
+SaveConfig = true
+PrivateKey = {{ wg_private_key }}
+ListenPort = 51900
+
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
+
+[Peer]
+PublicKey = {{ wg_public_key }}
+AllowedIPs = 10.0.0.2/32
+