Address review feedback: explicit directory modes and clearer docs

- Add explicit mode to WireGuard directory creation in main.yml:
  - PKI directories (preshared, private, public): 0700
  - Config directories (apple/ios, apple/macos): 0755

- Enhance config.cfg keys_clean_all comment to clarify:
  - When false: new users added (not just preserved)
  - When true: ALL CLIENTS MUST RECONFIGURE (explicit impact warning)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: dguido

config.cfg

@@ -89,8 +89,8 @@ dns_servers:
 pki_in_tmpfs: true
 
 # Regenerate ALL user credentials on update-users (not just new users)
-# When false: existing WireGuard keys and IPsec certs are preserved
-# When true: all credentials are deleted and regenerated for all users
+# When false: existing WireGuard keys and IPsec certs are preserved, new users added
+# When true: all credentials deleted and regenerated - ALL CLIENTS MUST RECONFIGURE
 keys_clean_all: false
 
 ### VPN Network Configuration ###

roles/wireguard/tasks/main.yml

@@ -1,15 +1,16 @@
 ---
 - name: Ensure the required directories exist
   file:
-    dest: "{{ item }}"
+    dest: "{{ item.path }}"
     state: directory
     recurse: true
+    mode: "{{ item.mode }}"
   with_items:
-    - "{{ wireguard_pki_path }}/preshared"
-    - "{{ wireguard_pki_path }}/private"
-    - "{{ wireguard_pki_path }}/public"
-    - "{{ wireguard_config_path }}/apple/ios"
-    - "{{ wireguard_config_path }}/apple/macos"
+    - { path: "{{ wireguard_pki_path }}/preshared", mode: "0700" }
+    - { path: "{{ wireguard_pki_path }}/private", mode: "0700" }
+    - { path: "{{ wireguard_pki_path }}/public", mode: "0700" }
+    - { path: "{{ wireguard_config_path }}/apple/ios", mode: "0755" }
+    - { path: "{{ wireguard_config_path }}/apple/macos", mode: "0755" }
   delegate_to: localhost
   become: false