From 977b21147ab600436311335eb3d6ed8ea83a69da Mon Sep 17 00:00:00 2001
From: githubixx <home@tauceti.net>
Date: Wed, 18 Jul 2018 23:57:27 +0200
Subject: [PATCH] first working version

---
 defaults/main.yml             | 10 ++--
 tasks/main.yml                | 88 +++++++++++++++++++++++------------
 templates/wg-fullmesh.conf.j2 | 14 ++++++
 3 files changed, 76 insertions(+), 36 deletions(-)
 create mode 100644 templates/wg-fullmesh.conf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index 245ddc3..c5f80cb 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -18,9 +18,7 @@ wireguard_port: "51820"
 # The interface name that wireguard should use.
 wireguard_interface: "wg0"
 
-wireguard_server_conf: |
-  [Interface]
-  PrivateKey = {{wg_server_privatekey }}
-  Address = {{wireguard_ip}}
-  ListenPort = {{wireguard_port}}
-  SaveConfig = true 
+# TODO: Currently the role only supports full mesh network. But there
+# should also be the possibility to have only one server and many
+# peers. Needs to be implemented so this variable isn't used yet.
+# wireguard_server: ""
diff --git a/tasks/main.yml b/tasks/main.yml
index 2209815..fa68d9e 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,15 +1,11 @@
 ---
-- name: Determine kernel release
-  shell: "uname -r"
-  register: kernel_release
-
 - name: Install required packages
   package:
     name: "{{item}}"
     state: present
   with_items:
     - software-properties-common
-    - linux-headers-{{kernel_release}}
+    - linux-headers-{{ansible_kernel}}
 
 - name : Add WireGuard repository
   apt_repository:
@@ -43,11 +39,23 @@
   run_once: true
   delegate_to: localhost
 
+- name: Set path to private key file
+  set_fact:
+    private_key_file_path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
+  tags:
+    wg-config
+
+- name: Set path to public key file
+  set_fact:
+    public_key_file_path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.public.key"
+  tags:
+    wg-config
+
 - name: Register if private key already exists
   local_action:
     module: stat
-    path: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
-  register: private_key_file
+    path: "{{private_key_file_path}}"
+  register: private_key_file_stat
   tags:
     - wg-generate-keys
 
@@ -56,21 +64,21 @@
   register: wg_private_key_result
   with_inventory_hostnames:
     - vpn
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
   tags:
     - wg-generate-keys
 
 - name: Set private key fact
   set_fact:
     wg_private_key: "{{wg_private_key_result.results[0].stdout}}"
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
   tags:
     - wg-generate-keys
 
 - name: Generate WireGuard public key
   shell: "echo '{{wg_private_key}}' | wg pubkey"
   register: wg_public_key_result
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
   with_inventory_hostnames:
     - vpn
   tags:
@@ -79,7 +87,7 @@
 - name: Set public key fact
   set_fact:
     wg_public_key: "{{wg_public_key_result.results[0].stdout}}"
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
   tags:
     - wg-generate-keys
 
@@ -87,9 +95,9 @@
   local_action:
     module: template
     src: "wg-privatekey.j2"
-    dest: "{{wireguard_cert_directory}}/{{inventory_hostname}}.private.key"
+    dest: "{{private_key_file_path}}"
     mode: 0600
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
   tags:
     - wg-generate-keys
 
@@ -97,24 +105,44 @@
   local_action:
     module: template
     src: "wg-publickey.j2"
-    dest: "{{wireguard_cert_directory}}/{{inventory_hostname}}.public.key"
+    dest: "{{public_key_file_path}}"
     mode: 0600
-  when: private_key_file.stat.exists == False
+  when: private_key_file_stat.stat.exists == False
   tags:
     - wg-generate-keys
 
-  #- name: Generate WireGuard configuration file
-  #  template:
-  #    src: wireguard.conf.j2
-  #    dest: /etc/wireguard/wg0.conf
-  #    owner: root
-  #    group: root
-  #    mode: 0600
-  #    force: no
-  #
-  #
-  #- name: Start and enable WireGuard service
-  #  service:
-  #    name: wg-quick@wg0
-  #    state: started
-  #    enabled: yes
+- name: Read private key from local filesystem
+  set_fact:
+    private_key: "{{lookup('file', private_key_file_path)}}"
+  tags:
+    wg-config
+
+- name: Read public key from local filesystem
+  set_fact:
+    public_key: "{{lookup('file', public_key_file_path)}}"
+  tags:
+    wg-config
+
+- name: Create WireGuard configuration directory
+  file:
+    dest: "{{wireguard_remote_directory}}"
+    state: directory
+    mode: 0700
+  tags:
+    - wg-config
+
+- name: Generate WireGuard configuration file
+  template:
+    src: wg-fullmesh.conf.j2
+    dest: "{{wireguard_remote_directory}}/wg0.conf"
+    owner: root
+    group: root
+    mode: 0600
+  tags:
+    - wg-config
+
+- name: Start and enable WireGuard service
+  service:
+    name: wg-quick@wg0
+    state: started
+    enabled: yes
diff --git a/templates/wg-fullmesh.conf.j2 b/templates/wg-fullmesh.conf.j2
new file mode 100644
index 0000000..f61ba9f
--- /dev/null
+++ b/templates/wg-fullmesh.conf.j2
@@ -0,0 +1,14 @@
+#jinja2: trim_blocks:False
+[Interface]
+Address = {{vpn_ip}}
+PrivateKey = {{private_key}}
+ListenPort = {{wireguard_port}}
+
+{% for host in groups["vpn"] %}
+  {%- if host != inventory_hostname -%}
+    [Peer]
+    PublicKey = {{hostvars[host]['public_key']}}
+    AllowedIPs = {{hostvars[host]['vpn_ip']}}/32
+    Endpoint = {{host}}:{{wireguard_port}}
+  {%- endif -%}
+{% endfor %}