Add WireGuard role

4 files changed, 123 insertions, 0 deletions

diff --git a/roles/wireguard/defaults/main.yml b/roles/wireguard/defaults/main.yml
new file mode 100644
index 0000000..62ba4f8
--- /dev/null
+++ b/roles/wireguard/defaults/main.yml
@@ -0,0 +1,23 @@
+---
+
+# wireguard:
+#   - name: wg2server
+#     address: ["10.192.122.1/24", "10.10.0.1/16"]
+#     dns: "10.200.100.1"
+#     port: 51821
+#     # privateKey: "JWlx3sQGTulvLOUbgyM6Ufp+rLTd93swWEuIfEAbzhg="
+#     preUp:
+#     preDown:
+#     postUp: "iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+#     postDown: "iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ ansible_default_ipv4.interface }} -j MASQUERADE"
+#     fwmark: 0
+#     peers:
+#       - publicKey: "xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg="
+#         presharedKey: "/UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak="
+#         allowedIPs: "10.192.122.3/32"
+#         endpoint:
+#         persistentKeepalive: 0
+#       - publicKey: "TrMvSoP4jYQlY6RIzBgbssQqY3vxI2Pi+y71lOWWXX0="
+#         allowedIPs: "10.192.122.4/32"
+#       - publicKey: "gN65BkIKy1eCE9pP1wdc8ROUtkHLF2PfAqYdyYBz6EA="
+#         allowedIPs: "10.10.10.230/32"
diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml
new file mode 100644
index 0000000..6bca6b9
--- /dev/null
+++ b/roles/wireguard/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: restart wireguard
+  service: name=wg-quick@{{ item.item.name }}.service state=restarted
+  with_items: "{{ wireguard_changed.results }}"
+  no_log: true
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000..8351797
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,57 @@
+---
+
+- name: Install WireGuard
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - wireguard-lts
+    - wireguard-tools
+
+- name: Ensure /etc/wireguard exists
+  file:
+    path: "/etc/wireguard"
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: Generate private key(s)
+  shell: 'wg genkey'
+  register: wireguard_keys
+  when: item.privateKey is not defined
+  no_log: true
+  with_items: "{{ wireguard }}"
+
+- name: Set private key(s)
+  set_fact:
+    wireguard: "{{ [wireguard|combine(
+      item|combine({'privateKey': wireguard_keys.results[index].stdout})
+    )] }}"
+  when: item.privateKey is not defined
+  no_log: true
+  loop: "{{ wireguard }}"
+  loop_control:
+    index_var: index
+
+- name: Install configuration files
+  template:
+    src: wg.conf.j2
+    dest: "/etc/wireguard/{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: 0600
+  with_items: "{{ wireguard }}"
+  register: wireguard_changed
+  no_log: true
+  notify:
+    - restart wireguard
+
+- name: Start and enable wireguard service
+  systemd:
+    name: "wg-quick@{{ item.name }}.service"
+    daemon-reload: yes
+    state: started
+    enabled: True
+  no_log: true
+  with_items: "{{ wireguard }}"
diff --git a/roles/wireguard/templates/wg.conf.j2 b/roles/wireguard/templates/wg.conf.j2
new file mode 100644
index 0000000..bac19a9
--- /dev/null
+++ b/roles/wireguard/templates/wg.conf.j2
@@ -0,0 +1,37 @@
+[Interface]
+{% for addr in item.address %}
+Address = {{ addr }}
+{% endfor %}
+{% if item.dns is defined %}
+DNS = {{ item.dns }}
+{% endif %}
+{% if item.preUp is defined %}
+PreUp = {{ item.preUp }}
+{% endif %}
+{% if item.preDown is defined %}
+PreDown = {{ item.preDown }}
+{% endif %}
+{% if item.postUp is defined %}
+PostUp = {{ item.postUp }}
+{% endif %}
+{% if item.postDown is defined %}
+PostDown = {{ item.postDown }}
+{% endif %}
+ListenPort = {{ item.port }}
+PrivateKey = {{ item.privateKey }}
+{% if item.fwmark is defined %}
+Fwmark = {{ item.fwmark }}
+{% endif %}
+
+{% for peer in item.peers %}
+[Peer]
+PublicKey = {{ peer.publicKey }}
+{% if peer.presharedKey is defined %}
+PresharedKey = {{ peer.presharedKey }}
+{% endif %}
+AllowedIPs = {{ peer.allowedIPs }}
+{% if peer.persistentKeepalive is defined %}
+PersistentKeepalive = {{ peer.persistentKeepalive }}
+{% endif %}
+
+{% endfor %}