--- - name: Gather instance facts setup: - include_tasks: "setup-{{ ansible_distribution|lower }}.yml" - name: Install WireGuard package: name: "{{ packages }}" state: present vars: packages: - wireguard-dkms - wireguard-tools tags: - wg-install - name: Enable WireGuard kernel module modprobe: name: wireguard state: present register: wireguard_module_enabled until: wireguard_module_enabled is succeeded retries: 10 delay: 10 failed_when: wireguard_module_enabled is failure tags: - wg-install - name: Set WireGuard IP (without mask) set_fact: wireguard_ip: "{{ wireguard_address.split('/')[0] }}" - name: Register if config/private key already exists on target host stat: path: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" register: config_file_stat tags: - wg-generate-keys - wg-config - name: Get wg subcommands command: "wg --help" register: wg_subcommands changed_when: false - name: Set default value for wg_syncconf variable (assume wg syncconf subcommand not available) set_fact: wg_syncconf: false - name: Check if wg syncconf subcommand is available set_fact: wg_syncconf: true when: wg_subcommands.stdout | regex_search('syncconf:') - name: Show syncconf subcommand status debug: var: wg_syncconf - block: - name: Generate WireGuard private key shell: "wg genkey" register: wg_private_key_result tags: - wg-generate-keys - name: Set private key fact set_fact: private_key: "{{ wg_private_key_result.stdout }}" tags: - wg-generate-keys when: not config_file_stat.stat.exists - block: - name: Read WireGuard config file slurp: src: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" register: wg_config tags: - wg-config - name: Set private key fact set_fact: private_key: "{{ wg_config['content'] | b64decode | regex_findall('PrivateKey = (.*)') | first }}" tags: - wg-config when: config_file_stat.stat.exists - name: Derive WireGuard public key shell: "echo '{{ private_key }}' | wg pubkey" # noqa 306 register: wg_public_key_result changed_when: false tags: - wg-config - name: Set public key fact set_fact: public_key: "{{ wg_public_key_result.stdout }}" tags: - wg-config - name: Create WireGuard configuration directory file: dest: "{{ wireguard_remote_directory }}" state: directory mode: 0700 tags: - wg-config - block: - name: Create private key for unmanaged hosts shell: | set -o errexit set -o pipefail wg genkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-privatekey exit 0 args: executable: /bin/bash creates: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey" register: uh_private_key with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" - name: Validate permissions of unmanaged hosts' private keys file: path: "{{ wireguard_remote_directory }}/{{ item.host }}-privatekey" mode: '0400' with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" - name: Recover existing private key for unmanaged hosts shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey" register: uh_private_key changed_when: false with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" - name: Derive WireGuard public key for unmanaged hosts shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-privatekey | wg pubkey | tee {{ wireguard_remote_directory }}/{{ item.host }}-pubkey" args: creates: "{{ wireguard_remote_directory }}/{{ item.host }}-pubkey" executable: "/bin/bash" register: uh_public_key with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" - name: Recover existing public key for unmanaged hosts shell: "cat {{ wireguard_remote_directory }}/{{ item.host }}-pubkey" register: uh_public_key changed_when: false with_items: "{{ wireguard_unmanaged_hosts | default([]) }}" when: wireguard_unmanaged_hosts is defined and wireguard_unmanaged_hosts - name: Generate WireGuard configuration file template: src: wg.conf.j2 dest: "{{ wireguard_remote_directory }}/{{ wireguard_interface }}.conf" owner: root group: root mode: 0600 tags: - wg-config notify: - reconfigure wireguard - name: Generate WireGuard configuration file for unmanaged systems template: src: wg-unmanaged.conf.j2 dest: "{{ wireguard_remote_directory }}/{{ item.item.host }}.conf" owner: root group: root mode: 0600 with_items: "{{ uh_private_key.results }}" - name: Check if reload-module-on-update is set stat: path: "{{ wireguard_remote_directory }}/.reload-module-on-update" register: reload_module_on_update tags: - wg-config - name: Set WireGuard reload-module-on-update file: dest: "{{ wireguard_remote_directory }}/.reload-module-on-update" state: touch when: not reload_module_on_update.stat.exists tags: - wg-config - name: Start and enable WireGuard service service: name: "wg-quick@{{ wireguard_interface }}" state: started enabled: yes