add wireguard role

roles/wireguard/defaults/main.yaml

@@ -0,0 +1,13 @@
+---
+wireguard_package_name: wireguard
+wireguard_package_state: present
+
+wireguard_service_name: "wg-quick"
+wireguard_service_state: started
+wireguard_service_enabled: true
+
+wireguard_etc_path: /etc/wireguard
+wireguard_port: 51820
+wireguard_interface: wg0
+
+wireguard_peers: {}

roles/wireguard/handlers/main.yaml

@@ -0,0 +1,6 @@
+---
+- name: restart wg-quick
+  systemd:
+    name: "wg-quick@{{ item }}"
+    state: restarted
+  loop: "{{ wireguard_interfaces.keys() | list }}"

roles/wireguard/tasks/configure-interface.yaml

@@ -0,0 +1,15 @@
+---
+- name: configure interface
+  template:
+    src: wg-multi.conf.j2
+    dest: "{{ wireguard_etc_path }}/{{ _wireguard_interface }}.conf"
+    owner: root
+    group: root
+    mode: 0400
+  notify: restart wg-quick
+
+- name: manage service
+  service:
+    name: "{{ wireguard_service_name }}@{{ _wireguard_interface }}"
+    state: "{{ wireguard_service_state }}"
+    enabled: "{{ wireguard_service_enabled }}"

roles/wireguard/tasks/configure.yaml

@@ -0,0 +1 @@
+---

roles/wireguard/tasks/install.yaml

@@ -0,0 +1,5 @@
+---
+- name: install package
+  package:
+    name: "{{ wireguard_package_name }}"
+    state: "{{ wireguard_package_state }}"

roles/wireguard/tasks/main.yaml

@@ -0,0 +1,36 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: install.yaml
+
+#- include: configure.yaml
+
+- include: configure-interface.yaml
+  loop: "{{ wireguard_interfaces.keys() | list }}"
+  loop_control:
+    loop_var: _wireguard_interface
+  when:
+    - wireguard_interfaces is mapping
+    - wireguard_interfaces.keys() | length

roles/wireguard/templates/wg-multi.conf.j2

@@ -0,0 +1,49 @@
+{%- macro render_interface(i) %}
+[Interface]
+{%   if "private_key" in i %}
+PrivateKey = {{ i.private_key }}
+{%   endif %}
+{%   if "address" in i %}
+{%     if i.address is string %}
+Address = {{ i.address }}
+{%     elif i.address is sequence %}
+{%       for address in i.address %}
+Address = {{ address }}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{%   if "listen_port" in i %}
+ListenPort = {{ i.listen_port }}
+{%   endif %}
+{% endmacro -%}
+
+{%- macro render_peer(p) %}
+{%   if "comment" in p %}
+# {{ p.comment }}
+{%   endif %}
+[Peer]
+{%   if "public_key" in p %}
+PublicKey = {{ p.public_key }}
+{%   endif %}
+{%   if "endpoint" in p %}
+Endpoint = {{ p.endpoint }}
+{%   endif %}
+{%   if "allowed_ips" in p %}
+{%     if p.allowed_ips is string %}
+AllowedIPs = {{ p.allowed_ips }}
+{%     elif p.allowed_ips is sequence %}
+AllowedIPs = {{ p.allowed_ips | join(', ') }}
+{%     endif %}
+{%   endif %}
+{% endmacro -%}
+
+{% if wireguard_interfaces[_wireguard_interface] and
+      wireguard_interfaces[_wireguard_interface] is mapping %}
+{{   render_interface(wireguard_interfaces[_wireguard_interface]) }}
+{% endif %}
+{% if wireguard_peers[_wireguard_interface] and
+      wireguard_peers[_wireguard_interface] is sequence %}
+{%   for peer in wireguard_peers[_wireguard_interface] %}
+{{     render_peer(peer) }}
+{%   endfor %}
+{% endif %}

roles/wireguard/templates/wg.conf.j2

@@ -0,0 +1,33 @@
+[Interface]
+PrivateKey = {{ wireguard_private_key }}
+{% if wireguard_address %}
+{%   if wireguard_address is string %}
+Address = {{ wireguard_address }}
+{%   elif wireguard_address is sequence %}
+{%     for address in wireguard_address %}
+Address = {{ address }}
+{%     endfor %}
+{%   endif %}
+{% endif %}
+{% if wireguard_port %}
+ListenPort = {{ wireguard_port }}
+{% endif %}
+
+{% if wireguard_peers is not string and wireguard_peers is sequence %}
+{%   for peer in wireguard_peers %}
+[Peer]
+{%     if "public_key" in peer %}
+PublicKey = {{ peer.public_key }}
+{%     endif %}
+{%     if "endpoint" in peer %}
+Endpoint = {{ peer.endpoint }}
+{%     endif %}
+{%     if "allowed_ips" in peer %}
+{%       if peer.allowed_ips is string %}
+AllowedIPs = {{ peer.allowed_ips }}
+{%       elif peer.allowed_ips is sequence %}
+AllowedIPs = {{ peer.allowed_ips.join(', ') }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}