From 0760ae4c2cd950a80f179808ad68a9af87719979 Mon Sep 17 00:00:00 2001
From: Ryan Cavicchioni <ryan@cavi.cc>
Date: Tue, 30 Aug 2022 07:51:47 -0500
Subject: [PATCH] add wireguard role

---
 roles/wireguard/defaults/main.yaml            | 13 +++++
 roles/wireguard/handlers/main.yaml            |  6 +++
 .../wireguard/tasks/configure-interface.yaml  | 15 ++++++
 roles/wireguard/tasks/configure.yaml          |  1 +
 roles/wireguard/tasks/default.yaml            |  0
 roles/wireguard/tasks/install.yaml            |  5 ++
 roles/wireguard/tasks/main.yaml               | 36 ++++++++++++++
 roles/wireguard/templates/wg-multi.conf.j2    | 49 +++++++++++++++++++
 roles/wireguard/templates/wg.conf.j2          | 33 +++++++++++++
 roles/wireguard/vars/default.yaml             |  0
 10 files changed, 158 insertions(+)
 create mode 100644 roles/wireguard/defaults/main.yaml
 create mode 100644 roles/wireguard/handlers/main.yaml
 create mode 100644 roles/wireguard/tasks/configure-interface.yaml
 create mode 100644 roles/wireguard/tasks/configure.yaml
 create mode 100644 roles/wireguard/tasks/default.yaml
 create mode 100644 roles/wireguard/tasks/install.yaml
 create mode 100644 roles/wireguard/tasks/main.yaml
 create mode 100644 roles/wireguard/templates/wg-multi.conf.j2
 create mode 100644 roles/wireguard/templates/wg.conf.j2
 create mode 100644 roles/wireguard/vars/default.yaml

diff --git a/roles/wireguard/defaults/main.yaml b/roles/wireguard/defaults/main.yaml
new file mode 100644
index 0000000..76de59a
--- /dev/null
+++ b/roles/wireguard/defaults/main.yaml
@@ -0,0 +1,13 @@
+---
+wireguard_package_name: wireguard
+wireguard_package_state: present
+
+wireguard_service_name: "wg-quick"
+wireguard_service_state: started
+wireguard_service_enabled: true
+
+wireguard_etc_path: /etc/wireguard
+wireguard_port: 51820
+wireguard_interface: wg0
+
+wireguard_peers: {}
diff --git a/roles/wireguard/handlers/main.yaml b/roles/wireguard/handlers/main.yaml
new file mode 100644
index 0000000..1b02ed6
--- /dev/null
+++ b/roles/wireguard/handlers/main.yaml
@@ -0,0 +1,6 @@
+---
+- name: restart wg-quick
+  systemd:
+    name: "wg-quick@{{ item }}"
+    state: restarted
+  loop: "{{ wireguard_interfaces.keys() | list }}"
diff --git a/roles/wireguard/tasks/configure-interface.yaml b/roles/wireguard/tasks/configure-interface.yaml
new file mode 100644
index 0000000..657972c
--- /dev/null
+++ b/roles/wireguard/tasks/configure-interface.yaml
@@ -0,0 +1,15 @@
+---
+- name: configure interface
+  template:
+    src: wg-multi.conf.j2
+    dest: "{{ wireguard_etc_path }}/{{ _wireguard_interface }}.conf"
+    owner: root
+    group: root
+    mode: 0400
+  notify: restart wg-quick
+
+- name: manage service
+  service:
+    name: "{{ wireguard_service_name }}@{{ _wireguard_interface }}"
+    state: "{{ wireguard_service_state }}"
+    enabled: "{{ wireguard_service_enabled }}"
diff --git a/roles/wireguard/tasks/configure.yaml b/roles/wireguard/tasks/configure.yaml
new file mode 100644
index 0000000..ed97d53
--- /dev/null
+++ b/roles/wireguard/tasks/configure.yaml
@@ -0,0 +1 @@
+---
diff --git a/roles/wireguard/tasks/default.yaml b/roles/wireguard/tasks/default.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/roles/wireguard/tasks/install.yaml b/roles/wireguard/tasks/install.yaml
new file mode 100644
index 0000000..66e9ade
--- /dev/null
+++ b/roles/wireguard/tasks/install.yaml
@@ -0,0 +1,5 @@
+---
+- name: install package
+  package:
+    name: "{{ wireguard_package_name }}"
+    state: "{{ wireguard_package_state }}"
diff --git a/roles/wireguard/tasks/main.yaml b/roles/wireguard/tasks/main.yaml
new file mode 100644
index 0000000..524db2e
--- /dev/null
+++ b/roles/wireguard/tasks/main.yaml
@@ -0,0 +1,36 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: install.yaml
+
+#- include: configure.yaml
+
+- include: configure-interface.yaml
+  loop: "{{ wireguard_interfaces.keys() | list }}"
+  loop_control:
+    loop_var: _wireguard_interface
+  when:
+    - wireguard_interfaces is mapping
+    - wireguard_interfaces.keys() | length
diff --git a/roles/wireguard/templates/wg-multi.conf.j2 b/roles/wireguard/templates/wg-multi.conf.j2
new file mode 100644
index 0000000..f50b02d
--- /dev/null
+++ b/roles/wireguard/templates/wg-multi.conf.j2
@@ -0,0 +1,49 @@
+{%- macro render_interface(i) %}
+[Interface]
+{%   if "private_key" in i %}
+PrivateKey = {{ i.private_key }}
+{%   endif %}
+{%   if "address" in i %}
+{%     if i.address is string %}
+Address = {{ i.address }}
+{%     elif i.address is sequence %}
+{%       for address in i.address %}
+Address = {{ address }}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if "listen_port" in i %}
+ListenPort = {{ i.listen_port }}
+{%   endif %}
+{% endmacro -%}
+
+{%- macro render_peer(p) %}
+{%   if "comment" in p %}
+# {{ p.comment }}
+{%   endif %}
+[Peer]
+{%   if "public_key" in p %}
+PublicKey = {{ p.public_key }}
+{%   endif %}
+{%   if "endpoint" in p %}
+Endpoint = {{ p.endpoint }}
+{%   endif %}
+{%   if "allowed_ips" in p %}
+{%     if p.allowed_ips is string %}
+AllowedIPs = {{ p.allowed_ips }}
+{%     elif p.allowed_ips is sequence %}
+AllowedIPs = {{ p.allowed_ips | join(', ') }}
+{%     endif %}
+{%   endif %}
+{% endmacro -%}
+
+{% if wireguard_interfaces[_wireguard_interface] and
+      wireguard_interfaces[_wireguard_interface] is mapping %}
+{{   render_interface(wireguard_interfaces[_wireguard_interface]) }}
+{% endif %}
+{% if wireguard_peers[_wireguard_interface] and
+      wireguard_peers[_wireguard_interface] is sequence %}
+{%   for peer in wireguard_peers[_wireguard_interface] %}
+{{     render_peer(peer) }}
+{%   endfor %}
+{% endif %}
diff --git a/roles/wireguard/templates/wg.conf.j2 b/roles/wireguard/templates/wg.conf.j2
new file mode 100644
index 0000000..4974021
--- /dev/null
+++ b/roles/wireguard/templates/wg.conf.j2
@@ -0,0 +1,33 @@
+[Interface]
+PrivateKey = {{ wireguard_private_key }}
+{% if wireguard_address %}
+{%   if wireguard_address is string %}
+Address = {{ wireguard_address }}
+{%   elif wireguard_address is sequence %}
+{%     for address in wireguard_address %}
+Address = {{ address }}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if wireguard_port %}
+ListenPort = {{ wireguard_port }}
+{% endif %}
+
+{% if wireguard_peers is not string and wireguard_peers is sequence %}
+{%   for peer in wireguard_peers %}
+[Peer]
+{%     if "public_key" in peer %}
+PublicKey = {{ peer.public_key }}
+{%     endif %}
+{%     if "endpoint" in peer %}
+Endpoint = {{ peer.endpoint }}
+{%     endif %}
+{%     if "allowed_ips" in peer %}
+{%       if peer.allowed_ips is string %}
+AllowedIPs = {{ peer.allowed_ips }}
+{%       elif peer.allowed_ips is sequence %}
+AllowedIPs = {{ peer.allowed_ips.join(', ') }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}
diff --git a/roles/wireguard/vars/default.yaml b/roles/wireguard/vars/default.yaml
new file mode 100644
index 0000000..e69de29