initial implementation - part 1

2018-07-17 00:26:00 +02:00 · 2018-07-17 00:26:00 +02:00 · 6517b8cdba
parent 49c39916fd
commit 6517b8cdba
10 changed files with 209 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1 +1,38 @@
-# ansible-role-wireguard
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,26 @@
+---
+# The LOCAL directory where the Wireguard certificate is stored after it was
+# generated. By default this will expand to user's LOCAL ${HOME}
+# (the user that run's "ansible-playbook" command) plus
+# "/wireguard/certs". That means if the user's ${HOME} directory is e.g.
+# "/home/da_user" then "wireguard_cert_directory" will have a value of
+# "/home/da_user/wireguard/certs". If you change this make sure that
+# the parent directory is writable by the user that runs "ansible-playbook"
+# command.
+wireguard_cert_directory: "{{ '~/wireguard/certs' | expanduser }}"
+
+# Directory to store Wireguard configuration on the remote hosts
+wireguard_remote_directory: "/etc/wireguard"
+
+# The port Wireguard will listen on.
+wireguard_port: "51820"
+
+# The interface name that wireguard should use.
+wireguard_interface: "wg0"
+
+wireguard_server_conf: |
+  [Interface]
+  PrivateKey = {{wg_server_privatekey }}
+  Address = {{wireguard_ip}}
+  ListenPort = {{wireguard_port}}
+  SaveConfig = true 
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1 @@
+---
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,14 @@
+galaxy_info:
+  author: Robert Wimmer
+  description: Installs Wireguard incl. systemd integration
+  license: GPLv3
+  min_ansible_version: 2.5
+  platforms:
+  - name: Ubuntu
+    versions:
+    - bionic
+  galaxy_tags:
+    - networking
+    - security
+    - linux
+    - vpn
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,120 @@
+---
+- name: Determine kernel release
+  shell: "uname -r"
+  register: kernel_release
+
+- name: Install required packages
+  package:
+    name: "{{item}}"
+    state: present
+  with_items:
+    - software-properties-common
+    - linux-headers-{{kernel_release}}
+
+- name : Add WireGuard repository
+  apt_repository:
+    repo: "ppa:wireguard/wireguard"
+    state: present
+    update_cache: yes
+
+- name: Install WireGuard
+  package:
+    name: "{{item}}"
+    state: present
+  with_items:
+    - wireguard-dkms
+    - wireguard-tools
+
+- name: Enable WireGuard kernel module
+  modprobe:
+    name: wireguard
+    state: present
+  register: wireguard_module_enabled
+  until:  wireguard_module_enabled is succeeded
+  retries: 10
+  delay: 10
+  failed_when: wireguard_module_enabled is failure
+
+- name: Create WireGuard certificates directory
+  file:
+    dest: "{{wireguard_cert_directory}}"
+    state: directory
+    mode: 0700
+  run_once: true
+  delegate_to: localhost
+
+- name: Register if private key already exists
+  local_action:
+    module: stat
+    path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
+  register: private_key_file
+  tags:
+    - wg-generate-keys
+
+- name: Generate WireGuard private key
+  shell: "wg genkey"
+  register: wg_private_key_result
+  with_inventory_hostnames:
+    - vpn
+  when: private_key_file.stat.exists == False
+  tags:
+    - wg-generate-keys
+
+- name: Set private key fact
+  set_fact:
+    wg_private_key: "{{wg_private_key_result.results[0].stdout}}"
+  when: private_key_file.stat.exists == False
+  tags:
+    - wg-generate-keys
+
+- name: Generate WireGuard public key
+  shell: "echo '{{wg_private_key}}' | wg pubkey"
+  register: wg_public_key_result
+  when: private_key_file.stat.exists == False
+  with_inventory_hostnames:
+    - vpn
+  tags:
+    - wg-generate-keys
+
+- name: Set public key fact
+  set_fact:
+    wg_public_key: "{{wg_public_key_result.results[0].stdout}}"
+  when: private_key_file.stat.exists == False
+  tags:
+    - wg-generate-keys
+
+- name: Store hosts private key locally
+  local_action:
+    module: template
+    src: "wg-privatekey.j2"
+    dest: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
+    mode: 0600
+  when: private_key_file.stat.exists == False
+  tags:
+    - wg-generate-keys
+
+- name: Store hosts public key locally
+  local_action:
+    module: template
+    src: "wg-publickey.j2"
+    dest: "{{wireguard_cert_directory}}/{{inventory_hostname}}.public.key"
+    mode: 0600
+  when: private_key_file.stat.exists == False
+  tags:
+    - wg-generate-keys
+
+  #- name: Generate WireGuard configuration file
+  #  template:
+  #    src: wireguard.conf.j2
+  #    dest: /etc/wireguard/wg0.conf
+  #    owner: root
+  #    group: root
+  #    mode: 0600
+  #    force: no
+  #
+  #
+  #- name: Start and enable WireGuard service
+  #  service:
+  #    name: wg-quick@wg0
+  #    state: started
+  #    enabled: yes
--- a/templates/wg-privatekey.j2
+++ b/templates/wg-privatekey.j2
@ -0,0 +1 @@
+{{hostvars[inventory_hostname]['wg_private_key']}}
--- a/templates/wg-publickey.j2
+++ b/templates/wg-publickey.j2
@ -0,0 +1 @@
+{{hostvars[inventory_hostname]['wg_public_key']}}
--- a/tests/inventory
+++ b/tests/inventory
@ -0,0 +1,2 @@
+localhost
+
--- a/tests/test.yml
+++ b/tests/test.yml
@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - .
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1 @@
+---
				`@ -0,0 +1 @@`
				`{{hostvars[inventory_hostname]['wg_private_key']}}`
				`@ -0,0 +1 @@`
				`{{hostvars[inventory_hostname]['wg_public_key']}}`