Initial commit

defaults/main.yml

@@ -0,0 +1,2 @@
+---
+wireguard_os_supported: False

handlers/main.yml

@@ -0,0 +1 @@
+---

meta/main.yml

@@ -0,0 +1,2 @@
+---
+galaxy_info:

tasks/main.yml

@@ -0,0 +1,63 @@
+---
+- name: Set OS dependent variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+        - "{{ ansible_system | lower }}.yml"
+      paths:
+        - '{{ role_path }}/vars'
+  ignore_errors: True
+
+- name: OS is supported
+  ansible.builtin.assert:
+    that: __os_supported
+    quiet: True
+  vars:
+    __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}"
+
+
+- name: Install wireguard
+  apt:
+    name: wireguard
+    state: present
+    update_cache: yes
+  
+- name: Set wg0.conf
+  template:
+    src: wg0.conf.j2
+    dest: /etc/wireguard/wg0.conf
+    owner: root
+    mode: 0600
+
+- name: Set add_client.sh
+  template:
+    src: add_client.sh.j2
+    dest: /etc/wireguard/add_client.sh
+    owner: root
+    mode: 0600
+
+- name: Set to_qr.sh
+  template:
+    src: to_qr.sh.j2
+    dest: /etc/wireguard/to_qr.sh
+    owner: root
+    mode: 0600
+
+- name: Set genpair.sh
+  template:
+    src: genpair.sh.j2
+    dest: /etc/wireguard/genpair.sh
+    owner: root
+    mode: 0600
+  
+- name: Enable wireguard service
+  service:
+    name: wg-quick@wg0.service
+    state: started
+    enabled: yes
+    daemon_reload: yes

templates/add_client.sh.j2

@@ -0,0 +1,43 @@
+# add_client <IP>
+IP=$1
+
+# If a client config file is already present, return
+if [[ -f /etc/wireguard/client/wg0.conf ]]
+then
+        echo "client/wg0.conf already exists. Please consider moving it to another place or deleting it"
+        return 1
+fi
+
+# generate client key pair
+private_key=$(wg genkey)
+public_key=$(echo $private_key | wg pubkey)
+
+# write updated server config to temp-file
+cp /etc/wireguard/wg0.conf /etc/wireguard/wg0-temp.conf
+echo "
+[Peer]
+PublicKey = $public_key
+AllowedIPs = $IP/32
+" >> /etc/wireguard/wg0-temp.conf
+
+# restart wireguard with updated conf
+wg-quick down wg0
+mv /etc/wireguard/wg0-temp.conf /etc/wireguard/wg0.conf
+wg-quick up wg0
+
+# generate client config file
+echo "[Interface]
+Address = $IP/24
+PrivateKey = $private_key
+MTU = 1280
+DNS = 192.168.2.1
+
+[Peer]
+PublicKey = UPnYF3sTTBUlyHz0gyEAL7c1+rFM7G4LOQ4oab2VqAg=
+AllowedIPs = 0.0.0.0/0
+Endpoint = wg.a-0.me:51900
+PersistentKeepalive = 30
+" > /etc/wireguard/client/wg0.conf
+
+# output client conf as QR-Code
+qrencode -r /etc/wireguard/client/wg0.conf -t ansiutf8

templates/genpair.sh.j2

@@ -0,0 +1 @@
+wg genkey | tee $1_private_key | wg pubkey > $1_public_key

templates/to_qr.sh.j2

@@ -0,0 +1 @@
+qrencode -r $1 -t ansiutf8

templates/wg0.conf.j2

@@ -0,0 +1,14 @@
+[Interface]
+Address = {{ wireguard_server_CIDR }}
+SaveConfig = true
+PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o {{ wireguard_iface_name }} -j MASQUERADE
+PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o {{ wireguard_iface_name }} -j MASQUERADE
+ListenPort = 51900
+PrivateKey = {{ wireguard_server_privkey }}
+
+{% for client in wireguard_clients %}
+[Peer]
+PublicKey = {{ client.pubkey }}
+AllowedIPs = {{ client.ipv4 }}
+
+{% endfor %}

vars/debian.yml

@@ -0,0 +1,4 @@
+---
+wireguard_os_supported: True
+
+wireguard_iface_name: eth0