Re-add previous ansible roles

Co-authored-by: Hassan Abouelela <[email protected]>
Co-authored-by: Johannes Christ <[email protected]>
Co-authored-by: Joe Banks <[email protected]>
Co-authored-by:  MarkKoz <[email protected]>

4 files changed, 105 insertions, 0 deletions

diff --git a/roles/wireguard/defaults/main/vars.yml b/roles/wireguard/defaults/main/vars.yml
new file mode 100644
index 0000000..10c80ae
--- /dev/null
+++ b/roles/wireguard/defaults/main/vars.yml
@@ -0,0 +1,4 @@
+extra_keys:
+  - name: Joe
+    pubkey: /dJ+tKXzxv7nrUleNlF+CGyq7OIVlqL8/9Sn8j+cEAc=
+    subnet: 10.0.1.0/24
diff --git a/roles/wireguard/handlers/main.yml b/roles/wireguard/handlers/main.yml
new file mode 100644
index 0000000..0edcf3a
--- /dev/null
+++ b/roles/wireguard/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload wg-quick
+  service:
+    name: wg-quick@wg0
+    state: reloaded
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
new file mode 100644
index 0000000..46ff3e9
--- /dev/null
+++ b/roles/wireguard/tasks/main.yml
@@ -0,0 +1,72 @@
+- name: Install WireGuard
+  apt:
+    update_cache: true
+    cache_valid_time: 3600
+    pkg:
+      - wireguard
+      - wireguard-tools
+      - linux-headers-{{ ansible_kernel }}
+  tags:
+    - role::wireguard
+
+- name: Generate WireGuard private key
+  shell: set -o pipefail && wg genkey > /etc/wireguard/key.priv
+  args:
+    executable: /bin/bash
+    creates: /etc/wireguard/key.priv
+  tags:
+    - role::wireguard
+
+- name: Generate WireGuard public key
+  shell: set -o pipefail && cat /etc/wireguard/key.priv | wg pubkey > /etc/wireguard/key.pub
+  args:
+    executable: /bin/bash
+    creates: /etc/wireguard/key.pub
+  tags:
+    - role::wireguard
+
+- name: Ensure file permissions for keys set correctly
+  file:
+    path: '{{ item }}'
+    owner: root
+    group: root
+    mode: '0600'
+  with_items:
+    - /etc/wireguard/key.priv
+    - /etc/wireguard/key.pub
+  tags:
+    - role::wireguard
+
+- name: Fetch private key for all hosts
+  slurp:
+    src: /etc/wireguard/key.priv
+  register: wg_priv_key
+  tags:
+    - role::wireguard
+
+- name: Fetch public key for all hosts
+  slurp:
+    src: /etc/wireguard/key.pub
+  register: wg_pub_key
+  tags:
+    - role::wireguard
+
+- name: Generate WireGuard configuration file
+  template:
+    src: wg0.conf.j2
+    dest: /etc/wireguard/wg0.conf
+    mode: '0600'
+    group: root
+    owner: root
+  notify:
+    - reload wg-quick
+  tags:
+    - role::wireguard
+
+- name: Start and enable the WireGuard service
+  service:
+    name: wg-quick@wg0
+    enabled: true
+    state: started
+  tags:
+    - role::wireguard
diff --git a/roles/wireguard/templates/wg0.conf.j2 b/roles/wireguard/templates/wg0.conf.j2
new file mode 100644
index 0000000..647854a
--- /dev/null
+++ b/roles/wireguard/templates/wg0.conf.j2
@@ -0,0 +1,25 @@
+# Configuration managed by Ansible
+[Interface]
+Address = {{ wireguard_subnet }}
+ListenPort = {{ wireguard_port }}
+PrivateKey = {{ wg_priv_key['content'] | b64decode | trim }}
+
+PostUp = ip route add local {{ wireguard_subnet }} dev eth0
+
+{% for host in hostvars.keys() if not host == inventory_hostname %}
+# Peer config for: {{ host }}
+[Peer]
+AllowedIPs = {{ hostvars[host]['wireguard_subnet'] }}
+PublicKey = {{ hostvars[host]['wg_pub_key']['content'] | b64decode | trim }}
+Endpoint = {{ host }}.box.pydis.wtf:{{ wireguard_port }}
+PersistentKeepalive = 30
+
+{% endfor %}
+
+{% for key in extra_keys %}
+# DevOps config for: {{ key.name }}
+[Peer]
+AllowedIPs = {{ key.subnet }}
+PublicKey = {{ key.pubkey }}
+
+{% endfor %}