- tags: - wireguard become: yes block: - name: Install packages apt: name: "{{ items }}" install_recommends: no vars: items: - wireguard - "{{ 'linux-headers-amd64' if ansible_architecture == 'x86_64' else 'linux-headers-686-pae' }}" - name: systemctl enable systemd-networkd systemd: name: systemd-networkd enabled: yes state: started - name: mkdir /etc/wireguard file: path: /etc/wireguard state: directory - name: wg genkey /etc/wireguard/private.key tags: wireguard-config shell: wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key args: creates: /etc/wireguard/private.key register: wg_private_key_gen - when: wg_private_key_gen.changed tags: wireguard-config fetch: src: "/etc/wireguard/public.key" dest: "files" - tags: wireguard-config slurp: src: "/etc/wireguard/private.key" register: wg_private_key - name: Make /etc/systemd/network/60-wg-XXX.netdev (Client) when: wireguard__role == 'client' notify: systemctl restart systemd-networkd tags: wireguard-config copy: dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev content: | [NetDev] Name=wg-{{ wireguard__net_id }} Kind=wireguard Description=Net id: {{ wireguard__net_id }} [WireGuard] PrivateKey={{ wg_private_key['content'] | b64decode }} [WireGuardPeer] PublicKey={{ lookup('file', wireguard__server.ansible_hostname + '/etc/wireguard/public.key') }} AllowedIPs=0.0.0.0/0 AllowedIPs=::/0 Endpoint={{ wireguard__server.hostname }}:{{ wireguard__listen_port }} PersistentKeepalive=60 - name: Make /etc/systemd/network/60-wg-XXX.netdev (Server) when: wireguard__role == 'server' notify: systemctl restart systemd-networkd tags: wireguard-config copy: dest: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.netdev content: | [NetDev] Name=wg-{{ wireguard__net_id }} Kind=wireguard Description=Net id: {{ wireguard__net_id }} [WireGuard] PrivateKey={{ wg_private_key['content'] | b64decode }} ListenPort={{ wireguard__listen_port }} {% for c in wireguard__clients %} {% set client = wireguard__clients[c] %} # Client: {{ c }} {% if client.state == 'present' %} [WireGuardPeer] PublicKey={{ lookup('file', c + '/etc/wireguard/public.key') }} AllowedIPs={{ client.ipv4 }} AllowedIPs={{ client.ipv6 }} {% else %} # absent {% endif %} {% endfor %} - name: rm /etc/systemd/network/60-wg-XXX.network tags: wireguard-config file: path: /etc/systemd/network/60-wg-{{ wireguard__net_id }}.network state: absent - name: Make /etc/systemd/network/61-wg-XXX.network (Client) when: wireguard__role == 'client' tags: wireguard-config notify: systemctl restart systemd-networkd copy: dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network content: | [Match] Name=wg-{{ wireguard__net_id }} [Network] Address={{ wireguard__clients[ansible_hostname].ipv4 }}/{{ wireguard__server.ipv4.prefix }} Address={{ wireguard__clients[ansible_hostname].ipv6 }}/{{ wireguard__server.ipv6.prefix }} - name: Make /etc/systemd/network/61-wg-XXX.network (Server) when: wireguard__role == 'server' tags: wireguard-config notify: systemctl restart systemd-networkd copy: dest: /etc/systemd/network/61-wg-{{ wireguard__net_id }}.network content: | [Match] Name=wg-{{ wireguard__net_id }} [Network] Address={{ wireguard__server.ipv4.address }}/{{ wireguard__server.ipv4.prefix }} Address={{ wireguard__server.ipv6.address }}/{{ wireguard__server.ipv6.prefix }} - name: UFW allow port when: wireguard__role == 'server' tags: wireguard-config ufw: rule: allow port: "{{ wireguard__listen_port }}" proto: udp - name: generate dns records tags: wireguard-dns-records when: wireguard__role == 'server' local_action: module: copy content: | wireguard_dns_records_{{ wireguard__net_id }}: {% for c in wireguard__clients|sort %} {% set client = wireguard__clients[c] %} - type: A name: {{ c }} value: {{ client.ipv4 }} state: {{ client.state }} - type: AAAA name: {{ c }} value: {{ client.ipv6 }} state: {{ client.state }} {% endfor %} dest: "files/wireguard-dns-records-{{ wireguard__net_id }}.yml"