Add role for wireguard

Setup wireguard interfaces, configure and deploy keys. Private keys are stored in a file on the host. Public keys are stored in facts, enable fact-caching to allow running the role on a subset of the peers. The dictionary key (interface name) must be the same on all hosts (it identifies the network). At least one peer needs to have a static port specified, so other peers can connect to it. Peers are specified using an inventory hostpattern. This doesn't setup any packet forwarding, DNS server or other VPN features. It just enabled p2p connections (to potentially multiple peers), e.g. to allow serving usually unencrypted applications (like NFS) over an encrypted connection.

Add role for wireguard
59e7676a · Robin Sonnabend · ba2916ec · 59e7676a · 59e7676a · 59e7676a
Verified Commit 59e7676a authored Sep 1, 2020 by Robin Sonnabend
--- a/wireguard/defaults/main.yml
+++ b/wireguard/defaults/main.yml
+---
+wireguard_interfaces: {}
+# wg0:
+#   addresses: ["10.0.0.1", "fd00::1"]
+#   peers: hostname pattern (as in inventory)
+#   port: 40000 (optional, set to make reachable by peers)
--- a/wireguard/handlers/main.yml
+++ b/wireguard/handlers/main.yml
+---
+- name: restart wireguard
+  systemd:
+    name: "wg-quick@{{item.key}}.service"
+    state: restarted
+  with_dict: "{{wireguard_interfaces}}"
--- a/wireguard/tasks/install-Archlinux.yml
+++ b/wireguard/tasks/install-Archlinux.yml
+---
+- name: install wireguard on Arch
+  pacman:
+    name: wireguard-tools
+    state: present
--- a/wireguard/tasks/install-Debian.yml
+++ b/wireguard/tasks/install-Debian.yml
+---
+- name: install wireguard on Debian
+  apt:
+    name: wireguard
+    state: present
--- a/wireguard/tasks/main.yml
+++ b/wireguard/tasks/main.yml
+---
+- name: ensure wireguard is installed
+  include_tasks: "install-{{ansible_facts['os_family']}}.yml"
+- name: ensure we have a private key
+  shell:
+    cmd: "wg genkey | tee {{item.key}}.key | wg pubkey > {{item.key}}.pub"
+    chdir: /etc/wireguard
+    creates: "/etc/wireguard/{{item.key}}.key"
+  with_dict: "{{wireguard_interfaces}}"
+  notify:
+    - restart wireguard
+  no_log: true
+- name: get the pubkey
+  slurp:
+    src: "/etc/wireguard/{{item.key}}.pub"
+  register: pubkeys
+  with_dict: "{{wireguard_interfaces}}"
+- name: store the pubkey in facts
+  set_fact:
+    wireguard_pubkeys: "{{dict(pubkeys.results|map(attribute='item')|map(attribute='key') | zip(pubkeys.results|map(attribute='content')|map('b64decode')|map('trim')))}}"
+    cacheable: true
+- name: configure wireguard
+  template:
+    src: wireguard.conf.j2
+    dest: /etc/wireguard/{{item.key}}.conf
+    owner: root
+    group: root
+    mode: 0600
+  with_dict: "{{wireguard_interfaces}}"
+  notify:
+    - restart wireguard
+- name: enable interface
+  systemd:
+    name: "wg-quick@{{item.key}}.service"
+    state: started
+    enabled: true
+  with_dict: "{{wireguard_interfaces}}"
--- a/wireguard/templates/wireguard.conf.j2
+++ b/wireguard/templates/wireguard.conf.j2
+[Interface]
+Address = {{ item.value.addresses|join(", ") }}
+PostUp = wg set %i private-key /etc/wireguard/{{item.key}}.key
+{% if item.value.port is defined %}
+ListenPort = {{item.value.port}}
+{% endif %}
+{% for peer in lookup('inventory_hostnames', item.value.peers, wantlist=True) %}
+[Peer]
+PublicKey = {{hostvars[peer]['ansible_facts']['wireguard_pubkeys'][item.key]}}
+AllowedIPs = {{hostvars[peer]['wireguard_interfaces'][item.key]['addresses'] | join(', ')}}
+{% if hostvars[peer]['wireguard_interfaces'][item.key]['port'] is defined %}
+Endpoint = {{hostvars[peer]['ansible_facts']['fqdn']}}:{{hostvars[peer]['wireguard_interfaces'][item.key]['port']}}
+{% endif %}
+{% endfor %}