init

2026-03-14 05:38:45 +01:00 · 2026-03-14 05:38:45 +01:00 · 883f31932e
commit 883f31932e
169 changed files with 5676 additions and 0 deletions
--- a/ansible/roles/wireguard/defaults/main.yml
+++ b/ansible/roles/wireguard/defaults/main.yml
@ -0,0 +1,4 @@
+---
+wg_interface: wg0
+wg_port: 51820
+wg_persistent_keepalive: 25
--- a/ansible/roles/wireguard/handlers/main.yml
+++ b/ansible/roles/wireguard/handlers/main.yml
@ -0,0 +1,6 @@
+---
+-
+    name: restart wireguard
+    systemd:
+        name: "wg-quick@{{ wg_interface }}"
+        state: restarted
--- a/ansible/roles/wireguard/meta/main.yml
+++ b/ansible/roles/wireguard/meta/main.yml
@ -0,0 +1,2 @@
+---
+dependencies: []
--- a/ansible/roles/wireguard/tasks/deploy-wireguard.yml
+++ b/ansible/roles/wireguard/tasks/deploy-wireguard.yml
@ -0,0 +1,21 @@
+---
+-
+    name: Read WireGuard private key
+    slurp:
+        src: /etc/wireguard/private.key
+    register: wg_private_key_file
+
+-
+    name: Deploy WireGuard configuration
+    template:
+        src: wg.conf.j2
+        dest: "/etc/wireguard/{{ wg_interface }}.conf"
+        mode: "0600"
+    notify: restart wireguard
+
+-
+    name: Enable and start WireGuard
+    systemd:
+        name: "wg-quick@{{ wg_interface }}"
+        enabled: yes
+        state: started
--- a/ansible/roles/wireguard/tasks/generate-keys.yml
+++ b/ansible/roles/wireguard/tasks/generate-keys.yml
@ -0,0 +1,45 @@
+---
+-
+    name: Ensure /etc/wireguard exists
+    file:
+        path: /etc/wireguard
+        state: directory
+        mode: "0700"
+
+-
+    name: Check for existing WireGuard private key
+    stat:
+        path: /etc/wireguard/private.key
+    register: wg_key_stat
+
+-
+    name: Generate WireGuard private key
+    command: wg genkey
+    register: wg_genkey
+    when: not wg_key_stat.stat.exists
+
+-
+    name: Save WireGuard private key
+    copy:
+        content: "{{ wg_genkey.stdout }}\n"
+        dest: /etc/wireguard/private.key
+        mode: "0600"
+    when: not wg_key_stat.stat.exists
+
+-
+    name: Derive WireGuard public key
+    shell: wg pubkey < /etc/wireguard/private.key
+    register: wg_pubkey_result
+    changed_when: false
+
+-
+    name: Save WireGuard public key
+    copy:
+        content: "{{ wg_pubkey_result.stdout }}\n"
+        dest: /etc/wireguard/public.key
+        mode: "0644"
+
+-
+    name: Set WireGuard key facts
+    set_fact:
+        wg_public_key: "{{ wg_pubkey_result.stdout | trim }}"
--- a/ansible/roles/wireguard/tasks/install-wireguard.yml
+++ b/ansible/roles/wireguard/tasks/install-wireguard.yml
@ -0,0 +1,6 @@
+---
+-
+    name: Install WireGuard packages
+    package:
+        name: "{{ wg_packages }}"
+        state: present
--- a/ansible/roles/wireguard/tasks/main.yml
+++ b/ansible/roles/wireguard/tasks/main.yml
@ -0,0 +1,8 @@
+---
+-
+    name: Include OS-specific variables
+    include_vars: "{{ ansible_os_family }}.yml"
+
+-
+    name: Install WireGuard
+    include_tasks: install-wireguard.yml
--- a/ansible/roles/wireguard/templates/wg.conf.j2
+++ b/ansible/roles/wireguard/templates/wg.conf.j2
@ -0,0 +1,20 @@
+[Interface]
+PrivateKey = {{ wg_private_key_file.content | b64decode | trim }}
+Address = {{ wg_address }}
+ListenPort = {{ wg_port }}
+
+{% for peer in wg_peers %}
+{% if peer.name is defined %}
+# {{ peer.name }}
+{% endif %}
+[Peer]
+PublicKey = {{ peer.public_key }}
+AllowedIPs = {{ peer.allowed_ips }}
+{% if peer.endpoint is defined %}
+Endpoint = {{ peer.endpoint }}
+{% endif %}
+{% if peer.persistent_keepalive | default(false) %}
+PersistentKeepalive = {{ wg_persistent_keepalive }}
+{% endif %}
+
+{% endfor %}
--- a/ansible/roles/wireguard/vars/Debian.yml
+++ b/ansible/roles/wireguard/vars/Debian.yml
@ -0,0 +1,4 @@
+---
+wg_packages:
+    - wireguard
+    - wireguard-tools