wireguard role

defaults/main.yaml

@@ -0,0 +1,10 @@
+---
+wireguard_configuration_method: wg-quick
+
+wireguard_interface: wg0
+wireguard_interface_private_key: "{{ ansible_local.wireguard.private_key }}"
+
+wireguard_peers: []
+
+wireguard_interface_listen: false
+wireguard_interface_listen_port: 51820

files/wireguard-local-facts.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+jo private_key=@/etc/wireguard/private_key public_key=$(wg pubkey < /etc/wireguard/private_key)

handlers/main.yaml

@@ -0,0 +1,9 @@
+---
+
+- name: restart systemd service
+  systemd:
+    name: wg-quick@{{wireguard_interface}}.service
+    state: restarted
+
+- name: gather facts again
+  setup:

tasks/main.yaml

@@ -0,0 +1,30 @@
+---
+
+- name: debian packages
+  apt:
+    pkg:
+      - wireguard
+      - jo
+
+- name: ansible local facts directory
+  file:
+    path: /etc/ansible/facts.d
+    state: directory
+
+- name: private key
+  command: sh -c "umask 077; wg genkey > /etc/wireguard/private_key"
+  args:
+    creates: /etc/wireguard/private_key
+  notify: gather facts again
+
+- name: ansible local facts
+  copy:
+    src: wireguard-local-facts.sh
+    dest: /etc/ansible/facts.d/wireguard.fact
+    mode: 0750
+  notify: gather facts again
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- include_tasks: "method/{{wireguard_configuration_method}}.yaml"

tasks/method/network-manager.yaml

@@ -0,0 +1,12 @@
+---
+
+- name: NetworkManager wireguard connection
+  community.general.nmcli:
+    type: wireguard
+    conn_name: "{{wireguard_interface}}"
+    ifname: "{{wireguard_interface}}"
+    wireguard:
+        listen-port: 51820
+        private-key: my-private-key
+    autoconnect: true
+    state: present

tasks/method/wg-quick.yaml

@@ -0,0 +1,13 @@
+---
+
+- name: wg-quick config
+  template:
+    src: wireguard.conf.j2
+    dest: /etc/wireguard/{{wireguard_interface}}.conf
+  notify: restart systemd service
+
+- name: wg-quick systemd service
+  systemd:
+    name: wg-quick@{{wireguard_interface}}.service
+    state: started
+    enabled: true

templates/wireguard.conf.j2

@@ -0,0 +1,19 @@
+[Interface]
+Address = {{ wireguard_interface_address }}
+PrivateKey = {{ wireguard_interface_private_key }}
+{% if wireguard_interface_listen %}
+ListenPort = {{ wireguard_interface_listen_port }}
+{% endif %}
+
+{% for peer in wireguard_peers %}
+{% if 'ansible_local' in hostvars[peer] and 'wireguard' in hostvars[peer].ansible_local %}
+[Peer]
+PublicKey = {{hostvars[peer].ansible_local.wireguard.public_key}}
+AllowedIPs = {{hostvars[peer].wireguard_allowed_ips}}
+{% if 'wireguard_endpoint' in hostvars[peer] %}
+Endpoint = {{hostvars[peer].wireguard_endpoint}}
+{% endif %}
+PersistentKeepalive = 25
+
+{% endif %}
+{% endfor %}