Add keys_clean_all support to WireGuard (parity with IPsec)

Previously, WireGuard had no option to force credential regeneration for
existing users. The keys_clean_all option only affected IPsec certificates.

Now WireGuard respects keys_clean_all the same way IPsec does:
- keys_clean_all: false (default) - preserve existing keys, only generate
  for new users
- keys_clean_all: true - delete all keys and regenerate for all users

Also improved the config.cfg documentation to clarify this option affects
both WireGuard and IPsec credentials.

Fixes #14610

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: dguido

config.cfg

@@ -88,7 +88,9 @@ dns_servers:
 # Store PKI in RAM disk when not retaining (MacOS/Linux only)
 pki_in_tmpfs: true
 
-# Regenerate ALL user certs on update-users (not just new users)
+# Regenerate ALL user credentials on update-users (not just new users)
+# When false: existing WireGuard keys and IPsec certs are preserved
+# When true: all credentials are deleted and regenerated for all users
 keys_clean_all: false
 
 ### VPN Network Configuration ###

roles/wireguard/tasks/keys.yml

@@ -1,4 +1,21 @@
 ---
+- name: Ensure the WireGuard pki directory does not exist
+  file:
+    dest: "{{ wireguard_pki_path }}"
+    state: absent
+  when: keys_clean_all | bool
+
+- name: Ensure the WireGuard pki directories exist
+  file:
+    dest: "{{ wireguard_pki_path }}/{{ item }}"
+    state: directory
+    recurse: true
+    mode: "0700"
+  with_items:
+    - preshared
+    - private
+    - public
+
 - name: Generate raw private keys
   community.crypto.openssl_privatekey:
     type: X25519