Added Wireguard role

roles/wireguard/tasks/clients.yml

@@ -0,0 +1,51 @@
+- name: Create client configs directories
+  ansible.builtin.file:
+    path: "{{ wireguard_clients_dir }}/{{ item.FriendlyName }}"
+    mode: 0755
+    state: directory
+  register: existing_client_config
+
+- name: Wireguard client keys block
+  block:
+  
+  - name: Generate WireGuard client private and public keys
+    ansible.builtin.shell: |
+      set -o pipefail
+      umask 077 && wg genkey | tee pk | wg pubkey > pubk
+    args:
+      executable: /bin/bash
+      chdir: "{{ wireguard_clients_dir }}/{{ item.FriendlyName }}"
+
+  - name: Read publickey
+    ansible.builtin.slurp:
+      src: "{{ wireguard_clients_dir }}/{{ item.FriendlyName }}/pubk"
+    register: _client_pubkey_value
+
+  - name: Read privatekey
+    ansible.builtin.slurp:
+      src: "{{ wireguard_clients_dir }}/{{ item.FriendlyName }}/pk"
+    register: _privkey_value
+ 
+  - name: Create client config
+    ansible.builtin.template:
+      src: "clients.conf.j2"
+      dest: "{{ wireguard_clients_dir }}/{{ item.FriendlyName }}/{{ item.FriendlyName }}.conf"
+      mode: 0644
+    vars:
+      server_public_key: "{{ _pubkey_value['content'] | b64decode | trim }}"
+      preshared_key: "{{ _pskkey_value['content'] | b64decode | trim }}"
+
+  - name: Download client configs
+    ansible.builtin.fetch:
+      src: "{{ wireguard_clients_dir }}/{{ item.FriendlyName }}.conf"
+      dest: "{{ wireguard_clients_download_dir }}/{{ inventory_hostname }}/"
+      flat: true
+    when: wireguard_download_clients | bool
+
+  - name: Append peer to server config
+    ansible.builtin.blockinfile:
+      dest: "{{ wireguard_dir }}/{{ wireguard_interface }}.conf"
+      block: "{{ lookup('template', 'templates/peer.j2') }}"
+      marker: "### {mark} ANSIBLE MANAGED BLOCK FOR {{ item.FriendlyName }} ###"
+
+  when: existing_client_config.changed == true

roles/wireguard/tasks/firewall.yml

@@ -0,0 +1,32 @@
+- name: Install iptables-persistent
+  ansible.builtin.apt:
+    name:
+      - iptables
+      - iptables-persistent
+    state: present
+
+- name: Filter FORWARD packets
+  ansible.builtin.iptables:
+    chain: FORWARD
+    jump: DROP
+    in_interface: "{{ wireguard_interface }}"
+    out_interface: "{{ other_interface }}"
+  when:
+    - filter_forward | bool
+    - other_interface | length > 0
+
+
+- name: Setup ipv4 IP forward
+  ansible.posix.sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: true
+    reload: true
+
+- name: Save current firewall state
+  community.general.iptables_state:
+    state: saved
+    path: /etc/iptables/rules.v4
+  when:
+    - filter_forward | bool
+    - other_interface | length > 0

roles/wireguard/tasks/init.yml

@@ -0,0 +1,14 @@
+- name: Create required dirs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    mode: 0755
+    state: directory
+  loop:
+    - "{{ wireguard_dir }}"
+    - "{{ wireguard_clients_dir }}"
+
+- name: Install WireGuard
+  ansible.builtin.apt:
+    name: "{{ wireguard_packages }}"
+    update_cache: true
+    state: present

roles/wireguard/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+# tasks file for wireguard
+- name: Init tasks
+  import_tasks: init.yml
+
+- name: Deploy server
+  import_tasks: server.yml
+
+- name: Firewalling
+  import_tasks: firewall.yml
+
+- name: Include Client configs
+  include_tasks: clients.yml
+  loop: "{{ peers | list }}"
+
+- name: Cleanup secrets from memory
+  ansible.builtin.set_fact:
+    _pskkey_value: ""
+    _pubkey_value: ""
+    _privkey_value: ""
+
+- name: Restart wg-quick
+  ansible.builtin.systemd:
+    name: wg-quick@wg0.service
+    enabled: yes
+    state: restarted

roles/wireguard/tasks/server.yml

@@ -0,0 +1,75 @@
+- name: Wireguard keys block
+  block:
+  - name: Test if private key is already present
+    ansible.builtin.stat:
+      path: "{{ wireguard_privatekey_path }}"
+    register: _priv_key
+
+  - name: Generate WireGuard server private and public keys
+    ansible.builtin.shell: |
+      set -o pipefail
+      umask 077 && wg genkey | tee {{ wireguard_privatekey_path }} | wg pubkey > {{ wireguard_publickey_path }}
+    args:
+      executable: /bin/bash
+    when:
+      - not _priv_key.stat.exists
+      - wireguard_restore_serverkeys_dir | length == 0
+
+  - name: Restore WireGuard private, public and preshared keys
+    ansible.builtin.copy:
+      src: "{{ wireguard_restore_serverkeys_dir }}"
+      dest: "{{ wireguard_dir }}"
+      mode: '0644'
+    when:
+      - not _priv_key.stat.exists
+      - wireguard_restore_serverkeys_dir | length > 0
+
+  - name: Read publickey
+    ansible.builtin.slurp:
+      src: "{{ wireguard_publickey_path }}"
+    register: _pubkey_value
+
+  - name: Read privatekey
+    ansible.builtin.slurp:
+      src: "{{ wireguard_privatekey_path }}"
+    register: _privkey_value
+
+  - name: Test if preshared key is already present
+    ansible.builtin.stat:
+      path: "{{ wireguard_presharedkey_path }}"
+    register: _psk_key
+
+  - name: Generate WireGuard preshared key
+    ansible.builtin.shell: |
+      set -o pipefail
+      umask 077 && wg genpsk | tee {{ wireguard_presharedkey_path }}
+    args:
+      executable: /bin/bash
+    when: not _psk_key.stat.exists
+
+  - name: Read presharedkey
+    ansible.builtin.slurp:
+      src: "{{ wireguard_presharedkey_path }}"
+    register: _pskkey_value
+  
+  - name: Create server config
+    ansible.builtin.template:
+      src: server.conf.j2
+      dest: "{{ wireguard_dir }}/{{ wireguard_interface }}.conf"
+      mode: 0700
+      force: no 
+
+- name: Create peers variable from template
+  ansible.builtin.set_fact:
+    peers: "{{ lookup('template', 'templates/peers.j2') | from_yaml }}"
+
+- name: Download server private key
+  ansible.builtin.fetch:
+    src: "{{ item }}"
+    dest: "{{ wireguard_serverkeys_download_dir }}/{{ inventory_hostname }}/"
+    flat: true
+  loop:
+    - "{{ wireguard_privatekey_path }}"
+    - "{{ wireguard_publickey_path }}"
+    - "{{ wireguard_presharedkey_path }}"
+  when: wireguard_download_serverkeys | bool